Data protection authorities in the UK and Canada are currently jointly investigating the 23andMe data breach in October 2023.
In the incident, a threat actor published 13 million pieces of 23andMe data for sale on the dark web, including people’s ancestry information, phenotype and health information, photos and identification data, raw data, and some other account information.
The leak reportedly included one million rows of data from Ashkenazim, as well as more than 300,000 users of Chinese descent, with 4.1 million people in the UK also affected. Because this type of data doesn’t change over time, it’s relevant to threat actors whenever they get it, and can be used for identity theft, phishing attacks, and more.
Customer negligence?
Now the UK Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) have joined forces to conduct an investigation into the incident.
“People need to be able to trust that any organisation that processes their most sensitive personal data has the appropriate safeguards in place,” said John Edwards, UK Data Protection Commissioner.
“This data breach has had international implications and we look forward to working with our Canadian colleagues to ensure that people’s personal information in the UK is protected.”
The two organizations will examine the scope of the information disclosed and the potential harm to the individuals affected, as well as whether 23andMe had adequate safeguards in place. They will also investigate whether the company properly notified the individuals affected, as required by Canadian and UK privacy laws.
In January 2024, 23andMe blamed its customers for the data theft, telling a group of victims that they had “carelessly reused and failed to update their passwords following past security incidents unrelated to 23andMe.”
“Therefore, the incident was not the result of 23andMe’s alleged failure to maintain appropriate security measures,” the letter said.
More from TechRadar Pro