Joint UK and Canada investigation into 23andMe data breach

The ICO and the Office of the Privacy Commissioner of Canada have launched a joint investigation into the 23andMe data breach that happened in October 2023. The genetic testing firm studies people’s DNA data in collaboration with researchers to discover novel treatments for patients. It also operates an ancestry service.

At the time of the breach, 23andMe said that the breach exposed less than 0.1%, or roughly 14,000 user accounts, of the existing 14 million 23andMe customers.

“The threat actor used the compromised credential stuffed accounts to access the information included in a significant number of DNA Relatives profiles (approximately 5.5 million) and Family Tree feature profiles (approximately 1.4 million), each of which were connected to the compromised accounts.”

The regulators will examine:

  • the scope of information that was exposed by the breach and potential harms to affected people;
  • whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and
  • whether the company provided adequate notification about the breach to the two regulators and affected people as required under Canadian and UK data protection laws.

The two regulators have a Memorandum of Understanding on this type of cooperation, and both also recently signed the Global Cooperation Arrangement for Privacy Enforcement (CAPE).

Information Commissioner John Edwards and Canada’s Privacy Commissioner Philippe Dufresne, together with Ulrich Kelber, Germany’s Federal Commissioner for Data Protection and Freedom of Information, will speak on Monday 1 July about cross-regulatory cooperation at PL&B 37th International Conference in Cambridge.