Genetics testing company 23andMe investigated over data breach

A joint investigation into a data breach at a DNA testing company has been launched by UK and Canadian watchdogs.

The Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) announced the investigation into the October 2023 incident.

US-based genetics company 23andMe analyses its customers’ DNA through home saliva collection kits to provide insights on factors such as health and ancestry.

According to the company’s website, it has sold more than 12 million DNA testing kits since 2006.

The UK and Canadian data protection regulators said they will combine their expertise and resources to jointly conduct the investigation.

It will examine the scope of information exposed by the breach and potential harms to affected people.

The strength of 23andMe’s safeguards to protect the information within its control will also be investigated, as well as whether the company provided adequate notification about the breach to the two regulators and affected people.

The ICO said: “23andMe is a custodian of highly sensitive personal information, including genetic information which does not change over time.

“It can reveal information about an individual and their family members, including about their health, ethnicity, and biological relationships.

“This makes public trust in these services essential.”

UK information commissioner John Edwards said: “People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place.

“This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Privacy commissioner of Canada Philippe Dufresne said: “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination.”

In a statement, 23andMe said: “We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023.”