Privacy watchdogs in the U.K. and Canada have teamed up to launch a joint investigation into the data breach that occurred at 23andMe last year.
On Monday, the U.K.’s Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) announced their collaboration, stating that they will combine their resources and expertise for a comprehensive probe.
Last year, 23andMe revealed a security incident that compromised the genetic and ancestry information of 6.9 million users, which accounted for about half of its overall user base. According to the company’s data breach notices, the breach went undetected for approximately five months, from April to September 2023. 23andMe admitted that they only became aware of the unauthorized access in October 2023, when hackers advertised the stolen data on both an unofficial 23andMe subreddit and a well-known hacking forum.
The compromised data included sensitive personal information such as names, birth years, relationship labels, DNA shared with relatives, ancestry reports, and self-reported locations.
Hackers were able to breach around 14,000 accounts of 23andMe customers using a tactic known as password spraying, which involves using previously breached passwords. From those 14,000 accounts, they were able to scrape data on millions of other people thanks to an opt-in feature called DNA Relatives. This feature automatically shared some data with other opted-in users in hopes of connecting individuals with distant relatives. Through this feature, the hackers were able to obtain information on 6.9 million users by only compromising 14,000 accounts.
In a statement, ICO Commissioner John Edwards expressed the importance of trust in organizations handling sensitive personal information and emphasized the need for proper security measures.
“People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place,” Edwards stated.
“This data breach had an international impact, and we are eager to work alongside our Canadian counterparts to ensure the protection of personal information for individuals in the U.K.,” he added.
The joint investigation conducted by the U.K. and Canada will delve into the extent of information exposed and any potential harm inflicted on the victims. They will also evaluate 23andMe’s security measures to determine if they were adequate in safeguarding users’ sensitive data. Additionally, the investigation will assess whether the company provided sufficient notice to both the ICO and the OPC.
A spokesperson for 23andMe did not respond immediately when asked for comment on the investigation.
[…] understand the relationship between Apple and OpenAI. While both companies have stated that user privacy is a top priority, Musk’s response implies that he believes OpenAI is deeply integrated into […]