Privateness watchdogs within the U.Ok. and Canada have launched a joint investigation into the info breach at 23andMe final yr.
On Monday, the U.Ok,’s Data Commissioner’s Workplace (ICO) and the Workplace of the Privateness Commissioner of Canada (OPC) introduced their investigation into the genetic testing firm, saying the organizations will leverage “the mixed sources and experience of their two places of work.”
Final yr, 23andMe disclosed a safety incident that affected the genetic and ancestry information of 6.9 million customers, or roughly half of its total consumer base. In its information breach notices, the corporate stated it didn’t detect the hackers’ actions for round 5 months, from April till September 2023. 23andMe stated it solely grew to become conscious of the account breaches in October 2023, when hackers marketed the stolen information on the unofficial 23andMe subreddit and a widely known hacking discussion board.
The stolen information included the particular person’s title, delivery yr, relationship labels, the share of DNA shared with family members, ancestry studies, and self-reported location.
Hackers broke into round 14,000 accounts of 23andMe clients by reusing their passwords from earlier breaches, a way often called password spraying. From these 14,000 accounts, the hackers had been in a position to scrape info on tens of millions of different individuals due to an opt-in characteristic known as the DNA Family members, which allowed customers to mechanically share a few of their information with different individuals who additionally had opted-in, with the objective of uncovering far-away family members. That’s how the hackers had been in a position to scrape info on 6.9 million customers by solely hacking 14,000 accounts.
In an announcement, ICO Commissioner John Edwards was quoted as saying that folks “must belief that any organisation dealing with their most delicate private info has the suitable safety and safeguards in place.”
“This information breach had a world impression, and we look ahead to collaborating with our Canadian counterparts to make sure the non-public info of individuals within the U.Ok. is protected,” stated Edwards.
The joint U.Ok.-Canada investigation will look into the scope of data uncovered and the potential hurt to the victims; whether or not 23andMe “had sufficient safeguards” to guard customers’ delicate information; and whether or not 23andMe “offered sufficient notification” to the ICO and the OPC.
23andMe spokespeople didn’t instantly reply to a request for remark.
