Joint Investigation Launched into DNA Testing Company’s Data Breach
The Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) have announced a joint investigation into a data breach at US-based genetics company 23andMe. The incident, which occurred in October 2023, has raised concerns about the security and safeguards in place to protect sensitive personal information.
According to 23andMe’s website, the company has sold over 12 million DNA testing kits since 2006. These kits, which use home saliva collection, provide customers with insights on factors such as health and ancestry. However, the recent data breach has sparked an investigation by both UK and Canadian data protection regulators.
The UK and Canadian authorities have stated that they will combine their expertise and resources to conduct a thorough investigation into the breach. This will include examining the scope of information exposed and potential harms to those affected. Additionally, the regulators will also assess the strength of 23andMe’s safeguards to protect the information within its control and whether the company provided adequate notification to both regulators and affected individuals.
In a statement, the ICO emphasized the sensitivity of genetic information and the need for public trust in services such as 23andMe. “23andMe is a custodian of highly sensitive personal information, including genetic information which does not change over time. It can reveal information about an individual and their family members, including about their health, ethnicity, and biological relationships. This makes public trust in these services essential.”
UK Information Commissioner John Edwards also stressed the importance of trust in organizations handling sensitive personal information. “People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”
Privacy Commissioner of Canada Philippe Dufresne echoed these sentiments, stating, “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination.”
In response to the investigation, 23andMe has stated, “We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023.”
The joint investigation by the ICO and OPC serves as a reminder of the importance of robust security measures and safeguards when handling sensitive personal information. It also highlights the need for companies to promptly and adequately notify both regulators and affected individuals in the event of a data breach.