Regulators have announced a joint investigation into last year's data breach at genetic testing firm 23andMe, including the firm’s handling of the incident.
The investigation will be undertaken by the UK’s Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC), leveraging the combined resources of both.
The probe will focus on three key areas, the first of which being the scope of information exposed during the breach and the extent to which such information may be potentially harmful to breach victims.
Crucially, it will also look at whether 23andMe had “adequate safeguards” in place to protect sensitive customer data in the first instance, and whether the company provided “adequate notification” about the breach to both regulators.
The ICO and OPC will consider whether 23andMe provided the same level of notification about the breach to those affected as required under Canadian and UK data protection laws.
Public trust in a service like 23andMe is “essential,” the ICO said in its statement, being that the firm is a “custodian of highly sensitive” data such as genetic information.
“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination,” said Canadian privacy commissioner Philippe Dufresne.
“Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world,” he added.
ICO chief exec John Edwards added to these sentiments, stating that “people need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place”.
“This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected,” he added.
23andMe’s fumbled response in the spotlight
In December 2023, 23andMe confirmed that it had been the victim of a data breach that saw threat actors reportedly steal and expose the ancestry data of nearly 7 million people, half the firm’s customer base at the time.
An investigation into the attack by the firm revealed that hackers used credential-stuffing attacks to gain access to 23andMe’s systems.
The real issue for 23andMe, however, was its reaction to the breach, which saw the firm blame victims by claiming users “failed to update their passwords following past security incidents unrelated to 23andMe” in a letter to victims.
In the letter, 23andMe concluded that the breach was not the result of its own “failure to maintain reasonable security measures,” but rather down to the cyber safety practices of its user base.
This claim did not go down well with many, and insult was added to injury for 23andMe when the firm revealed just weeks later that the data breach had been ongoing for 5 months before being detected.
Despite initial attempts to shift the blame, 23andMe’s security posture and subsequent breach notification are now in the firing line of regulatory bodies on both sides of the Atlantic.
