The UK’s Information Commissioner’s Office and the Office of the Privacy Commissioner of Canada have united to probe a significant data breach at genetic testing giant 23andMe.
The breach compromised the genetic and ancestral information of 6.9 million users—half of its user database. Initially unnoticed by the company, the breach occurred between April and September 2023, with the company becoming aware only in October after the compromised data surfaced on an unofficial subreddit and a notorious hacking forum.
The scope of the stolen data is extensive, including sensitive details such as the users’ names, birth years, familial connections, DNA shared with relatives, ancestry reports, and self-reported locations.
Hackers executed the breach by employing a technique known as password spraying, reusing passwords exposed in previous breaches to access around 14,000 customer accounts. Through an opt-in feature designed to connect distant relatives, dubbed DNA Relatives, the attackers could scrape the information of millions from these breached accounts.
In a climate where digital privacy concerns are escalating, ICO Commissioner John Edwards emphasized the necessity for trust in organizations that handle sensitive information. Edwards said, “This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”
The investigation aims to ascertain the breadth of the exposed data, assess the potential harm inflicted on the affected users, and evaluate whether 23andMe had sufficient security measures to protect user data and properly notify the appropriate regulatory bodies.
23andMe’s spokesperson, Andy Kill, acknowledged the investigation, stating, “23andMe acknowledges the joint investigation announced by the Privacy Commissioner of Canada and the UK Information Commissioner today. We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023.”
The significant data breach at 23andMe underscores the profound privacy and security risks associated with entrusting sensitive information to centralized companies, especially when it involves genetic data and biometrics. This incident demonstrates how vulnerable such data is to cyberattacks. The hackers’ ability to infiltrate the system using password spraying techniques and exploit features like DNA Relatives highlights the potential for extensive misuse and exploitation of personal data.
When genetic information—an immutable and deeply personal identifier—is compromised, the ramifications can be far-reaching, affecting not only the individuals involved but also their relatives, given the interconnected nature of genetic data.
