Canadian and United Kingdom officials are launching a joint privacy probe into genetic testing company 23andMe following a data breach in October 2023.
The company offers direct-to-consumer genetic testing that can be used to look into ancestry information and potential health conditions customers may be genetically predisposed to.
“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination,” privacy commissioner Philippe Dufresne said in a press release.
“Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”
The joint statement by the two privacy watchdogs says they will work collaboratively to investigate the scope of the information compromised in the October data breach and potential harms to individuals, whether 23andMe had adequate safeguards in place, and whether the company provided adequate notification on the breach to Canadian and British regulators as outlined under the countries’ respective privacy laws.
Global News has reached out to 23andMe for comment.
In a Dec. 5, 2023 post on its website, the company says its internal investigation found that the person responsible for the breach was able to access “roughly 14,000” user accounts. The company says this represents less than 0.1 per cent of its 14 million users.
Breaking news from Canada and around the world
sent to your email, as it happens.
However, the responsible party was able to use a compromised credential to access the information included in “a significant number” of DNA Relative and Family Tree accounts, which were connected to compromised accounts.
Combined, the company says this totals around 6.9 million 23andMe users.
According to this investigation, 23andMe found its system was compromised through a method called “credential stuffing.” Essentially, this is when a bad actor uses the username and password from an outside data breach that matched a 23andMe account.
The company says it has no indication the data security incident took place within its own systems.
As of Dec. 5, 2023, the company said it was in the process of contacting affected users as mandated by local privacy laws.