Genetics testing company 23andMe facing investigation over data breach

The Information Commissioner’s Office and Office of the Privacy Commissioner of Canada have announced a joint investigation into the 2023 incident.

Rosie Shead
Monday 10 June 2024 21:15 BST
A woman’s hand pressing keys of a laptop keyboard (Dominic Lipinski/PA)
A woman’s hand pressing keys of a laptop keyboard (Dominic Lipinski/PA) (PA Wire)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A joint investigation into a data breach at DNA testing company 23andMe has been launched by the UK and Canada data protection watchdogs.

The Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) announced the investigation into the October 2023 incident on Monday.

23andMe is a US-based genetics company that analyses its customers’ DNA through home saliva collection kits to provide insights on factors such as health and ancestry.

According to the company’s website, it has sold more than 12 million DNA testing kits since 2006.

The UK and Canadian data protection regulators said they will combine their expertise and resources to jointly conduct the investigation.

It will examine the scope of information exposed by the breach and potential harms to affected people, whether 23andMe had adequate safeguards to protect the information within its control and whether the company provided adequate notification about the breach to the two regulators and affected people.

This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected

Information Commissioner

The ICO said: “23andMe is a custodian of highly sensitive personal information, including genetic information which does not change over time.

“It can reveal information about an individual and their family members, including about their health, ethnicity, and biological relationships.

“This makes public trust in these services essential.”

UK Information Commissioner John Edwards said: “People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place.

“This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Privacy Commissioner of Canada Philippe Dufresne said: “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination.

“Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

In a statement, 23andMe said: “23andMe acknowledges the joint investigation announced by the Privacy Commissioner of Canada and the UK Information Commissioner today.

“We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023.”

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in