UK and Canada launch joint investigation into 23andMe DNA data breach
Hackers access data of nearly seven million people from American DNA testing firm in October last year
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.British and Canadian data protection watchdogs have launched a joint investigation into last year’s data breach at DNA testing company 23andMe.
The American genetics firm allows customers to send in samples of their DNA and have them tested for genetic information about their health, lineage, or place of origin.
Some of this information was accessed by hackers in October 2023.
After the hackers seemingly attempted to sell the information online, the company said in a statement the data had been “compiled from individual 23andMe accounts without the account users’ authorisation”.
The hackers accessed the personal information of 6.9 million people, the firm told TechCrunch in December 2023.
According to its website, the company has sold more than 12 million DNA testing kits since 2006.
Canadian and British data protection regulators said they will pool their expertise and resources to conduct a joint investigation.
They will look into the scale of the breach and its potential harm to the customers, whether the company had adequate safeguards in place to protect the highly sensitive information under its control and whether it gave adequate notification about the breach to the regulators and the affected people as required by Canadian and British data protection laws.
“23andMe is a custodian of highly sensitive personal information, including genetic information which does not change over time,” the UK Information Commissioner’s Office said.
“It can reveal information about an individual and their family members, including about their health, ethnicity, and biological relationships. This makes public trust in these services essential.”
The company said it “acknowledges the joint investigation announced by the Privacy Commissioner of Canada and the UK Information Commissioner” and “intends to cooperate” with their “reasonable requests relating to the credential stuffing attack discovered in October 2023”.
“People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected,” UK information commissioner John Edwards said.
Canada’s privacy commissioner, Philippe Dufresne, said: “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”
Additional reporting by agencies
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments