Canada, U.K. launch joint privacy investigation into 23andMe data breach

globalnews.ca:

23andMe following a data breach in October 2023.The company offers direct-to-consumer genetic testing that can be used to look into ancestry information and potential health conditions customers may be genetically predisposed to.“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination,” privacy commissioner Philippe Dufresne said in a press release.“Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”The joint statement by the two privacy watchdogs says they will work collaboratively to investigate the scope of the information compromised in the October data breach and potential harms to individuals, whether 23andMe had adequate safeguards in place, and whether the company provided adequate notification on the breach to Canadian and British regulators as outlined under the countries’ respective privacy laws.In an emailed response, 23andMe says they acknowledge the investigation and they intend to cooperate with the regulators’ “reasonable requests.”In a Dec. 5, 2023 post on its website, the company says its internal investigation found that the person responsible for the breach was able to access “roughly 14,000” user accounts.

The company says this represents less than 0.1 per cent of its 14 million users.However, the responsible party was able to use a compromised credential to access the information included in “a significant number” of DNA Relative and Family Tree accounts, which were connected to compromised accounts.Combined, the company says this totals around 6.9 million 23andMe users. 23andMe says they do not have specific numbers they can