UK and Canada privateness watchdogs investigating 23andMe knowledge breach
Privateness watchdogs within the U.Ok. and Canada have launched a joint investigation into the info breach at 23andMe final yr.
On Monday, the U.Ok,’s Data Commissioner’s Workplace (ICO) and the Workplace of the Privateness Commissioner of Canada (OPC) introduced their investigation into the genetic testing firm, saying the organizations will leverage “the mixed sources and experience of their two places of work.”
Final yr, 23andMe disclosed a safety incident that affected the genetic and ancestry knowledge of 6.9 million customers, or roughly half of its total consumer base. In its knowledge breach notices, the corporate stated it didn’t detect the hackers’ actions for round 5 months, from April till September 2023. 23andMe stated it solely grew to become conscious of the account breaches in October 2023, when hackers marketed the stolen knowledge on the unofficial 23andMe subreddit and a well known hacking discussion board.
The stolen knowledge included the particular person’s identify, beginning yr, relationship labels, the proportion of DNA shared with kin, ancestry studies, and self-reported location.
Hackers broke into round 14,000 accounts of 23andMe prospects by reusing their passwords from earlier breaches, a way often known as password spraying. From these 14,000 accounts, the hackers had been in a position to scrape data on hundreds of thousands of different folks due to an opt-in function known as the DNA Kinfolk, which allowed customers to routinely share a few of their knowledge with different individuals who additionally had opted-in, with the purpose of uncovering far-away kin. That’s how the hackers had been in a position to scrape data on 6.9 million customers by solely hacking 14,000 accounts.
In a press release, ICO Commissioner John Edwards was quoted as saying that individuals “have to belief that any organisation dealing with their most delicate private data has the suitable safety and safeguards in place.”
“This knowledge breach had a global affect, and we stay up for collaborating with our Canadian counterparts to make sure the private data of individuals within the U.Ok. is protected,” stated Edwards.
The joint U.Ok.-Canada investigation will look into the scope of knowledge uncovered and the potential hurt to the victims; whether or not 23andMe “had sufficient safeguards” to guard customers’ delicate knowledge; and whether or not 23andMe “supplied sufficient notification” to the ICO and the OPC.
23andMe spokespeople didn’t instantly reply to a request for remark.
