Data security regulators in the U.K. and Canada have started a mutual investigation of 23andMe concerning its 2023 data breach where about 7 million individuals or approximately 50% of its clients were impacted.
23andMe is a company offering direct-to-client genetic testing through DNA analysis of customers’ saliva samples and gives clients information regarding their health and ancestral roots. In October 2023, a hacker accessed users’ profile data and sold the data. 23andMe looked into the hacker’s statements and confirmed that its systems were not compromised; nevertheless, customers’ accounts were accessed during a credential-stuffing operation. Credential stuffing attacks entail utilizing passwords acquired during a breach at a company to sign in to accounts on a platform. This method only works when passwords are used on several platforms.
The investigation of 23andMe confirmed the compromise of approximately 14,000 user accounts in a campaign that went for about 5 months between April 2023 and September 2023. The sensitive profile data of users were compromised, together with 5.5 million more clients who availed its DNA Relatives feature that enables clients to locate and relate to genetic kin. A group of 1.4 million clients who availed of that feature likewise accessed their family tree profile data. The family tree data included names, birth year, self-reported location, and relationship labels.
The privacy commissioner of Canada, Philippe Dufresne and the UK information commissioner, John Edwards, started an investigation of 23andMe to find out if sufficient safety measures were put in place at 23andMe. Although password recycling made it possible for hackers to log into individual accounts, the breach had a worldwide effect and caused the compromise and theft of the information of countless individuals.
Although 23andMe blames clients for bad security practices, the investigation will strive to determine if 23andMe could have done even more to safeguard customer information. The data regulators are likewise seeking to determine the extent of the breach, the possible harm that clients may encounter, and if the company complies with HIPAA data breach notification regulations and offers adequate details to the regulators and impacted persons. 23andMe stated that the firm will abide by the reasonable requests of regulators.
People have to believe that any company managing their most sensitive personal data has the proper security measures in place. Because this data breach affected the world, it may be necessary to collaborate with 23andMe’s Canadian counterparts to protect the personal data of people in the United Kingdom.
Malicious actors can misuse an individual’s genetic data for discrimination or surveillance. Protecting personal data is against malware attacks is an essential focus for privacy regulators in Canada and world.