Canada and the UK Investigate ‘23andMe’ Breach Impacting 6.9 Million People 

• The data breach affecting genetic testing company ‘23andMe’ is being investigated by privacy agencies in Canada and the United Kingdom.
• 23andMe accounts were breached in a credential-stuffing attack last year, exposing extremely sensitive user data.
• The investigation will check if the firm provided adequate database protection and notifications to the two regulators.

The privacy authorities for Canada and the U.K. started a joint investigation into the data breach suffered by global direct-to-consumer genetic testing company 23andMe, discovered in October 2023. The security incident in which hackers used customers' old passwords to steal data such as family trees, birth years, and geographic locations from 14,000 user accounts impacted 6.9 million people.

Privacy Commissioner of Canada Philippe Dufresne and UK Information Commissioner John Edwards will investigate the 23andMe breach jointly, leveraging the combined resources and expertise of their two offices – the Office of the Privacy Commissioner of Canada (OPC) and the UK’s independent regulator for data protection and information rights law Information Commissioner’s Office (ICO).

23andMe holds troves of highly sensitive personal details, including invariable genetic information and data on individuals and their family members, as well as their health, ethnicity, and biological relationships. OPC and ICO are set on examining the scope of information exposed by the breach and any potential harm to impacted people.

The investigation will also examine whether 23andMe took adequate measures to protect its database containing highly sensitive information and adequately informed the two regulators and affected individuals about the security incident, as required under Canadian and UK privacy and data protection laws.

In a series of data breach notifications submitted to California's attorney general, 23andMe said the attackers compromised user accounts without detection via credential stuffing techniques between April 29 and September 27, 2023. On November 6, the company introduced two-factor authentication.

Approximately 5.5 million ‘DNA Relatives’ profiles with data like “display name, predicted relationships, and percentage of DNA shared with matches” and 1.4 million ‘Family Tree’ profiles were connected to the compromised accounts, but the threat actor did not manage to exfiltrate DNA records in this intrusion.

The security incident attracted several lawsuits against 23andMe, and on November 30, the company updated its Terms of Use to prevent customers from formally suing the firm or pursuing class-action lawsuits against it.