Investigation Launched by UK and Canadian Watchdogs
A collaborative inquiry into a data breach at a genetic testing firm is underway, led by regulatory bodies in the UK and Canada. The Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) jointly announced the investigation regarding the incident that occurred in October 2023.
23andMe’s DNA Analysis and Customer Base
23andMe, a US-based genetics company, provides DNA analysis services to customers using at-home saliva collection kits for insights into health and ancestry. Founded in 2006, the company boasts over 12 million DNA testing kit sales. The UK and Canadian data protection authorities will pool their knowledge and resources for this combined investigation.
Focus of the Investigation
The inquiry will delve into the extent of information exposed by the breach and the potential repercussions for those affected. Additionally, the investigation will assess the efficacy of 23andMe’s protective measures for safeguarding information and evaluate the adequacy of notifications about the breach to the regulators and impacted individuals. The ICO emphasized the critical nature of public trust in such services, given the sensitivity of the stored genetic data.
Statements from Information Commissioners
John Edwards, the UK Information Commissioner, stressed the importance of organizations ensuring proper security and protections for individuals’ sensitive information. He acknowledged the global implications of the data breach and anticipated a collaborative effort with Canadian authorities to safeguard the personal data of UK citizens. Privacy Commissioner of Canada, Philippe Dufresne, highlighted the risks of genetic data misuse for surveillance or discriminatory purposes.
Cooperation from 23andMe
23andMe released a statement confirming their intent to cooperate with regulators’ requests regarding the October 2023 credential stuffing attack.