Privacy authorities in Canada and the United Kingdom have launched a joint investigation to assess the scope of sensitive customer information exposed in last year’s 23andMe data breach.
The Privacy Commissioner of Canada and The Information Commissioner’s Office (ICO) will also look into whether the company had adequate safeguards to secure customer data stored on its systems.
The joint investigation will also examine if 23andMe alerted affected individuals and the privacy regulators as required by Canadian and UK privacy and data protection laws.
“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world,” said Privacy Commissioner of Canada Philippe Dufresne.
“People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place,” UK Information Commissioner John Edwards added.
“This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”
23andMe accounts breached in credential-stuffing attack
In January, Genetic testing provider 23andMe confirmed that the attackers stole health reports and raw genotype data of affected customers in a five-month credential-stuffing attack from April 29 to September 27.
The attackers used credentials stolen from other data breaches or compromised online platforms to breach 23andMe accounts.
Upon detecting the attack on October 10, 23andMe started requiring all customers to reset their passwords. Since November 6, two-factor authentication has been enabled by default for all new and existing customers.
The company disclosed in data breach notification letters sent to impacted individuals that some stolen data was posted on the BreachForums hacking forum and the unofficial 23andMe subreddit.
The leaked information included the data of 4.1 million people living in the United Kingdom and 1 million Ashkenazi Jews.
23andMe told BleepingComputer in December that the threat actors downloaded data for 6.9 million out of 14 million customers after breaching around 14,000 user accounts.
Approximately 5.5 million individuals had their data scraped through the DNA Relatives feature and 1.4 million via the Family Tree feature.
Due to the incident, multiple lawsuits were filed against 23andMe, prompting the company to update its Terms of Use on November 30 to make it harder for customers to join class action lawsuits.
However, 23andMe stated that the changes were made to make the arbitration process more efficient and more accessible for customers to understand.