Canada and the UK cooperate in a joint investigation into 23andMe data misuse

The authorities of Canada and Great Britain have launched a joint investigation. 23andMe data leak that happened last October.

A threat actor then posted on the dark web claiming to be in possession of 23andMe profile information, eventually releasing around 4 million company records. 23andMe launched an investigation and found that the data leak was a credential stuffing attack that affected around 7 million people.

The discovery of the attack prompted the company to blame the victims of the violationand stated that they had acted negligently by reusing their passwords that had already been disclosed in previous data breaches.

The aim of the joint investigation is now to protect the “fundamental right to privacy of individuals in all jurisdictions”, as 23andMe is considered a “guardian of highly sensitive personal information”, such as genetic history, health, ethnic origin and biological relationships.

The countries will examine the extent of the compromised information, whether 23andMe had safeguards in place to protect this sensitive information, and whether the reports the company made to regulators were adequate.

“People need to be able to trust that any organization that processes their most sensitive personal data has the appropriate security measures in place,” said British Data Protection Commissioner John Edwards“This data breach has had international implications and we look forward to working with our Canadian colleagues to ensure that people’s personal information in the UK is protected.”

Edwards and Canadian Privacy Commissioner Philippe Dufresne will jointly investigate the breach.