The breach, discovered in October 2023, exposed nearly 7 million customers’ personal information, raising concerns about data security and customer notification practices.
The joint investigation aims to achieve a comprehensive understanding of the incident. This includes determining the extent of exposed information and potential harm caused to affected users; assessing the adequacy of 23andMe’s security measures in protecting sensitive genetic data; and evaluating whether the company promptly and transparently notified both regulators and affected individuals about the breach.
“People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place,” said John Edwards, the UK’s information commissioner.
“This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”
Philippe Dufresne, Canada’s privacy commissioner, echoed the concerns, underlining the potential misuse of genetic information for surveillance or discrimination. He stressed the role of data protection authorities in ensuring adequate safeguards against such attacks.
Data protection and privacy legislation in both countries permit collaboration on matters of cross-jurisdictional impact.
23andMe has acknowledged the investigation and pledged to work with regulators, although the outcome could have significant consequences for the firm – including fines and required changes to its data security practices.
23andMe is a US firm providing genetic testing services to customers who submit a saliva sample to their laboratories. In return, they receive a report on their ancestry and genetic predispositions.
The DNA testing kits range from £79 to £129.
DNA Relatives proves dangerous
The data breach at 23andMe was only uncovered in October when hackers advertised the stolen data online, including on an unofficial subreddit dedicated to the company and a hacking forum.
It was later found that the hackers had also advertised the stolen data on another hacking forum months earlier, in August 2023.
In December, 23andMe wrote in an SEC statement that the threat actor was initially able to access just 0.1% of accounts on the site – about 14,000 profiles.
However, the attacker was ultimately able to leverage 23andMe’s DNA Relatives feature, an opt-in process to connect to other people with a close genetic match, to steal information on millions more users, bringing the total to about 6.9 million.
23andMe attempted to shift blame to customers, citing “poor security habits” as a contributing factor. The attackers initially used a credential stuffing technique, exploiting reused login credentials across multiple platforms.
While credential stuffing is a known threat, security measures like two-factor authentication (2FA) can help mitigate the risk. 23andMe only enabled 2FA by default in November 2023, a month after discovering the breach.
Wanda Parisien is a computing expert who navigates the vast landscape of hardware and software. With a focus on computer technology, software development, and industry trends, Wanda delivers informative content, tutorials, and analyses to keep readers updated on the latest in the world of computing.
