Investigation launching against 23andMe hack

UK and Canadian data watchdogs will investigate genetic testing company 23andMe over a data breach in October 2023. 

What happened?

In October 2023, genetic testing company 23andMe experienced a data breach. Hackers accessed the personal information of 6.9 million people by using old passwords from previous data breaches. The stolen data included family trees, birth years, and geographic locations, but not DNA records. Hackers accessed about 14,000 individual accounts and downloaded data connected to other users through family trees.

The UK Information Commissioner's Office (ICO) and Canada’s privacy watchdog launched a joint investigation to examine whether 23andMe had implemented adequate safeguards to protect user data. The investigation will also assess the impact of the breach and the company's response, including compliance with UK and Canadian regulations.

See also: HIPAA Compliant Email: The Definitive Guide

The backstory 

23andMe suffered a cyberattack from April to September 2023, targeting 14,000 accounts and leaking the genetic data of millions of users. The breach affected approximately 0.1% of the company's customer base, with the attackers attempting to sell the data on the dark web.

The company discovered the breach in October when the stolen data was promoted on subreddits and underground forums. Victims filed class action lawsuits against 23andMe, despite the company's attempts to change its terms of service. 

Go deeper: 23andMe admits major cyberattack went undetected for months

By the numbers

According to 23andMe’s about page: 

• 2006 was the year 23andMe set out to make DNA more accessible and meaningful for all.
• More than 12 millon DNA kits we’ve sold in that time.
• More than 55 health reports meeting FDA requirements.

The numbers have since grown, with about 7 million accounts. 

The breach revealed that 14000 individual accounts (0.1% of their customers) were hacked, leading to unauthorised access to personal data for 6.9 million customers.

What was said? 

According to BBC, 23andMe released a statement saying that they “intend to cooperate with these regulators’ reasonable requests.” This follows being notified of the investigation.

Canada's privacy commissioner, Philippe Dufresene, also warned that “in the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination.” 

Why it matters

The investigation into the 23andMe data breach matters for several key reasons:

• Protection of sensitive data: The breach involved highly sensitive personal information, including family trees, birth years, and geographic locations. Though DNA records were not accessed, the data exposed can still be misused for identity theft, fraud, and other malicious activities. The investigation will ensure that such sensitive information is adequately protected should safeguards not already be in place.
• Public trust: Maintaining public trust is crucial for companies like 23andMe that handle genetic and personal data. The breach has the potential to erode user confidence in the company’s ability to safeguard their data. The investigation will assess whether the company took appropriate measures to protect user information and how it handled the breach, which is vital for restoring trust.
• Regulatory compliance: The joint investigation by the UK Information Commissioner's Office (ICO) and Canada’s privacy watchdog will determine if 23andMe complied with relevant data protection regulations in both countries. Ensuring regulatory compliance is essential for protecting consumers and maintaining the integrity of the digital economy.
• Impact assessment: Understanding the scope and impact of the breach on affected individuals determines the extent of the damage and guiding the response and remediation efforts. The investigation will look into the size of the hack, the potential harm to users, and whether the company provided adequate notification and support to those affected.
• Preventing future breaches: The investigation will evaluate whether 23andMe had adequate safeguards in place and may identify weaknesses or gaps in their security practices. This can lead to improved security measures, not just for 23andMe but potentially for the broader industry, as findings and recommendations can set new standards and best practices.

Read more: 

• Understanding and managing a HIPAA breach
• How to respond to a data breach

FAQs

What is a data breach?

A data breach is a security incident where unauthorized individuals gain access to sensitive or confidential information stored by an organization. Data breaches can result in the theft, exposure, or compromise of personal or corporate data.

What are the consequences of a HIPAA breach?

A HIPAA breach can result in severe consequences, including financial penalties, legal action, and reputational damage for healthcare entities.

Go deeper: What are the penalties for HIPAA violations?