The California genetic testing company 23andMe faces investigations by the data watchdogs of the UK and Canada over a security breach affecting nearly 7 million people last October.
Hackers who broke into the site gained access to personal information by using customers’ old passwords. In some cases the information accessed included family trees, birth years and geographic locations.
The San Francisco-based company analyses its customers’ DNA through a saliva sample to provide insights into health and ancestry, and has sold more than 12m DNA testing kits since it was set up in 2006, according to its website.
The UK’s Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) have launched a joint investigation into the data breach, the ICO said.
It will examine the scope of information that was exposed by the breach and potential harms to affected people; whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and whether the company provided adequate notification about the breach to the two regulators and affected people, as required under Canadian and UK data protection laws.
“We intend to cooperate with these regulators’ reasonable requests,” 23andMe said in a statement.
A 23andMe spokesperson previously told the Guardian that the company did not “detect a breach” within 23andMe systems and instead attributed the incident to compromised recycled login credentials from certain users.
Hackers initially accessed the personal data of 0.1% of customers – or about 14,000 individuals, which enabled them to access other people’s information because of an opt-in feature that allows DNA-related relatives to contact each other, so the true number of people exposed was 6.9 million. This was just less than half of 23andMe’s 14 million reported customers.
23andMe sells DNA testing kits starting from £79 for an “ancestry service” – “learn more about who you are” – and £129 for a “health and ancestry service” – “better understand how genetics impact your health”.
The UK information commissioner, John Edwards, and the privacy commissioner of Canada, Philippe Dufresne, will investigate the 23andMe breach jointly.
Edwards said: “People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”
Dufresne said: “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”
