ICO and Canadian counterpart to investigate 23andMe data breach 

ico website

The Information Commissioner’s Office (ICO) has launched a joint investigation into the 23andMe data breach with the Office of the Privacy Commissioner of Canada (OPC).  

In a statement, the UK’s data protection said the ICO and OPC would leverage the combined resources and expertise of the two offices to find out what happened at the    genetic testing company in October 2023. The joint investigation “reflects the regulators’ commitment to collaborate on protecting the fundamental right to privacy of individuals across jurisdictions”. 

According to the ICO, the investigation will look at:  

  • The scope of information that was exposed by the breach and potential harms to affected people  
  • Whether 23andMe had adequate safeguards to protect the highly sensitive information within its control  
  • Whether the company provided adequate notification about the breach to the two regulators and affected people as required under Canadian and UK data protection laws. 

Commenting on the joint investigation, John Edwards, UK Information Commissioner, said: “People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.” 

The 23andMe data breach

In October 2023, news broke that 23andMe had experienced a massive data breach. According to the company, hackers used credentials leaked from other websites to breach 23andMe accounts – a technique known as ‘credential stuffing’.    

The security violation also involved 23andMe’s ‘DNA Relatives’ feature. This feature allows customers to compare ancestry information with other users. Hackers accessed the personal information of millions of people who used this feature  – even if their accounts were not breached.  

The data compromised in the 23andMe hack includes: 

  • Relationship labels 
  • Ancestry reports 
  • Matching DNA segments 
  • Location 
  • Birth Year 
  • Ethnicity 
  • Profile pictures 
  • Family names 

Information from the 23andMe data breach was subsequently offered for sale on the dark web.  

23andMe is victim blaming

Following the hack, 23andMe blamed customers who ‘failed to update their passwords’ for the initial data protection breach. It has not accepted blame for the DNA Relatives fiasco.  

Data protection lawyers disagree with 23andMe’s assessment of who is to blame. Not least because the credential stuffing went on for months without being spotted. There are also allegations that 23andMe’s response to the hack was deficient.    

The news of the joint investigation into the data breach implies that weaknesses in 23andMe’s data security processes did exist. In our opinion, the ICO is notoriously under resourced and is unlikely to launch an investigation into a hack without cause to do so.  

However, the ICO does not award compensation to data breach victims. To get financial redress for the breach of your personal data you must make a data breach claim.  

We are investigating this incident to find out how it affects users and their relatives in England & Wales. If you receive notification of your involvement in this breach, sign up below to join our no-win, no-fee action and receive updates on this case.    

In March 2024, our firm changed its name to KP Law. 

Share this article: