Canadian and United Kingdom officials are launching a joint privacy probe into genetic testing company 23andMe following a data breach in October 2023.
The company offers direct-to-consumer genetic testing that can be used to look into ancestry information and potential health conditions customers may be genetically predisposed to.
“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination,” privacy commissioner Philippe Dufresne said in a press release.
“Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”
The joint statement by the two privacy watchdogs says they will work collaboratively to investigate the scope of the information compromised in the October data breach and potential harms to individuals, whether 23andMe had adequate safeguards in place, and whether the company provided adequate notification on the breach to Canadian and British regulators as outlined under the countries’ respective privacy laws.
In an emailed response, 23andMe says they acknowledge the investigation and they intend to cooperate with the regulators’ “reasonable requests.”
In a Dec. 5, 2023 post on its website, the company says its internal investigation found that the person responsible for the breach was able to access “roughly 14,000” user accounts. The company says this represents less than 0.1 per cent of its 14 million users.
However, the responsible party was able to use a compromised credential to access the information included in “a significant number” of DNA Relative and Family Tree accounts, which were connected to compromised accounts.
Combined, the company says this totals around 6.9 million 23andMe users. 23andMe says they do not have specific numbers they can share on how many of these accounts are in Canada.
According to this investigation, 23andMe found its system was compromised through a method called “credential stuffing.” Essentially, this is when a bad actor uses the username and password from an outside data breach that matched a 23andMe account.
The company says it has no indication the data security incident took place within its own systems.
In their emailed response to questions, 23andMe says they continue to notify customers impacted by the data breach. Since then, they required all users to reset their passwords and made two-factor authentication mandatory.
Comments