Canadian and UK Officials Launch Joint Privacy Probe

Toronto, June 8, 2024 – Canadian and United Kingdom privacy authorities have announced a joint investigation into the genetic testing company 23andMe following a significant data breach in October 2023. This breach has raised serious concerns about the security and misuse of genetic information.

23andMe, a leading provider of direct-to-consumer genetic testing, offers services that help customers explore their ancestry and assess potential health risks based on their genetic data. However, the recent breach compromised sensitive information, underscoring the potential for misuse in surveillance or discrimination.

“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination,” stated Philippe Dufresne, Canada’s privacy commissioner.

“Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

The joint statement from the privacy watchdogs of Canada and the UK highlights their collaborative effort to investigate the extent of the compromised information, potential harm to individuals, the adequacy of 23andMe’s safeguards, and the company’s compliance with notification requirements under Canadian and British privacy laws.

23andMe disclosed in a Dec. 5, 2023, post that their internal investigation revealed approximately 14,000 user accounts were accessed during the breach. This number represents less than 0.1% of their 14 million users. However, the attacker used these compromised credentials to infiltrate a significant number of DNA Relative and Family Tree accounts, affecting around 6.9 million users.

The breach was executed through a method known as “credential stuffing,” where hackers use usernames and passwords from other data breaches to gain access to 23andMe accounts. The company has clarified that the incident did not originate from within their systems.

In response to the breach, 23andMe has implemented several security measures, including notifying affected customers, mandating password resets for all users, and enforcing two-factor authentication.

Privacy commissioners from both countries emphasize the critical need for robust data protection. “We are committed to ensuring that personal genetic information is protected from malicious actors,” Dufresne added. The investigation aims to hold 23andMe accountable and to strengthen future safeguards against such breaches.

As the probe continues, 23andMe faces heightened scrutiny from regulatory bodies and customers alike, underscoring the importance of stringent data security practices in the era of digital and genetic information.

For more updates on the investigation and data privacy measures, stay tuned to our coverage.