The Information Commissioner’s Office (ICO) has launched a joint investigation into the 23andMe data breach with the Office of the Privacy Commissioner of Canada (OPC).
In a statement, the UK’s data protection said the ICO and OPC would leverage the combined resources and expertise of the two offices to find out what happened at the genetic testing company in October 2023. The joint investigation “reflects the regulators’ commitment to collaborate on protecting the fundamental right to privacy of individuals across jurisdictions”.
According to the ICO, the investigation will look at:
Commenting on the joint investigation, John Edwards, UK Information Commissioner, said: “People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”
In October 2023, news broke that 23andMe had experienced a massive data breach. According to the company, hackers used credentials leaked from other websites to breach 23andMe accounts – a technique known as ‘credential stuffing’.
The security violation also involved 23andMe’s ‘DNA Relatives’ feature. This feature allows customers to compare ancestry information with other users. Hackers accessed the personal information of millions of people who used this feature – even if their accounts were not breached.
The data compromised in the 23andMe hack includes:
Information from the 23andMe data breach was subsequently offered for sale on the dark web.
Following the hack, 23andMe blamed customers who ‘failed to update their passwords’ for the initial data protection breach. It has not accepted blame for the DNA Relatives fiasco.
Data protection lawyers disagree with 23andMe’s assessment of who is to blame. Not least because the credential stuffing went on for months without being spotted. There are also allegations that 23andMe’s response to the hack was deficient.
The news of the joint investigation into the data breach implies that weaknesses in 23andMe’s data security processes did exist. In our opinion, the ICO is notoriously under resourced and is unlikely to launch an investigation into a hack without cause to do so.
However, the ICO does not award compensation to data breach victims. To get financial redress for the breach of your personal data you must make a data breach claim.
We are investigating this incident to find out how it affects users and their relatives in England & Wales. If you receive notification of your involvement in this breach, sign up below to join our no-win, no-fee action and receive updates on this case.
Individuals are facing new challenges in the world of data privacy and security. With the… Read More
In our regular update, we provide a roundup of some of the data breaches and… Read More
We have launched a group action against MOVEit/Zellis. Group actions can be a powerful tool… Read More
The number of organisations affected by the MoveIt Data Breach is still rising, despite the… Read More
We have launched a group action against 23andMe. Group actions can be a powerful tool… Read More
We have launched a group action against Capita. Group actions can be a powerful tool… Read More