UK and Canada Privacy Watchdogs Probe 23andMe Data Breach
12 June 2024 at 06:19
The United Kingdom and Canada privacy watchdogs announced a joint investigation this week to determine the security lapses in the genetic testing company 23andMeβs October data breach, which leaked ancestry data of 6.9 million individuals worldwide.
The UK Information Commissioner John Edwards and Privacy Commissioner of Canada Philippe Dufresne will lead the investigation, pooling the resources and expertise of their respective offices.
Focus of 23andMe Data Breach Investigation
The joint investigation will examine three key aspects:- Scope of Information Exposed: The breadth of data affected by the breach and the potential harm to individuals arising from it.
- Security Measures: Evaluate whether 23andMe had adequate safeguards to protect the sensitive information under its control.
- Breach Notification: Review whether the company provided timely and adequate notification to the regulators and affected individuals, as mandated by Canadian (PIPEDA) and UK (GDPR) data protection laws.
βPeople need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.βDufresne on the other hand stated the risks associated with genetic information in the wrong hands. He said:
βIn the wrong hands, an individualβs genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.βThe data protection and privacy laws in the UK and Canada allow such joint investigations on matters that impact both jurisdictions. Each regulator will assess compliance with the relevant laws they oversee. Neither of the privacy commissioner offices however provided further details on how they would charge or penalize 23andMe, if found in violation of GDPR or PIPEDA. βNo further comment will be made while the investigation is ongoing,β the UK ICO said. 23andMe acknowledges the joint investigation announced by the Privacy Commissioner of Canada and the UK Information Commissioner today.
βWe intend to cooperate with these regulatorsβ reasonable requests relating to the credential stuffing attack discovered in October 2023,β a 23andMe spokesperson told The Cyber Express.