Privacy watchdogs in the U.K. and Canada have launched a joint investigation into the data breach at 23andMe last year.
On Monday, the U.K,’s Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) announced their investigation into the genetic testing company, saying the organizations will leverage “the combined resources and expertise of their two offices.”
Last year, 23andMe disclosed a security incident that affected the genetic and ancestry data of 6.9 million users, or roughly half of its overall user base. In its data breach notices, the company said it didn’t detect the hackers’ activities for around five months, from April until September 2023. 23andMe said it only became aware of the account breaches in October 2023, when hackers advertised the stolen data on the unofficial 23andMe subreddit and a well-known hacking forum.
The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location.
Hackers broke into around 14,000 accounts of 23andMe customers by reusing their passwords from previous breaches, a technique known as password spraying. From those 14,000 accounts, the hackers were able to scrape information on millions of other people because of an opt-in feature called the DNA Relatives, which allowed users to automatically share some of their data with other people who also had opted-in, with the goal of uncovering far-away relatives. That’s how the hackers were able to scrape information on 6.9 million users by only hacking 14,000 accounts.
In a statement, ICO Commissioner John Edwards was quoted as saying that people “need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place.”
“This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the U.K. is protected,” said Edwards.
The joint U.K.-Canada investigation will look into the scope of information exposed and the potential harm to the victims; whether 23andMe “had adequate safeguards” to protect users’ sensitive data; and whether 23andMe “provided adequate notification” to the ICO and the OPC.
23andMe spokesperson Andy Kill said in a statement that “23andMe acknowledges the joint investigation announced by the Privacy Commissioner of Canada and the UK Information Commissioner today. We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023.”
UPDATE, June 10, 12:53 p.m. ET: This story was updated to include 23andMe’s comment.