ICO and Canadian Privacy Commissioner to investigate 23andMe over massive customer data breach

The Information Commissioner’s Office says it will investigate the data security incident at 23andMe which affected as many as 5.5 million people.

In October, 23andMe disclosed a data security incident after a threat actor listed it as a victim on its data leak site. They also published samples of data allegedly stolen from the company, including 1 million lines of information about Ashkenazi Jews. Ashkenazi Jews are those who believe they descended from Jews who lived in Central or Eastern Europe.

A company spokesperson added that the perpetrator accessed the data of as many as 5.5 million people who opted-in to 23andMe’s DNA Relatives feature. The compromised data included display names, relationship labels, birth year, self-reported location and whether the user decided to share their information.

In a recent press release, the Information Commissioner’s Office has announced that it will investigate the data security incident along with the Office of the Privacy Commissioner of Canada (OPC).

“People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected,” said John Edwards, UK Information Commissioner.

In a similar statement, Philippe Dufresne, Privacy Commissioner of Canada, said, “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

The investigation will focus on the scope of the incident and potential harm to affected people, whether 23andMe had adequate safeguards in place to protect the sensitive information and whether the company provided adequate notification about the incident to the two regulators and affected people.