Business

Canada, U.K. launch joint privacy probe into 23andMe data breach

Canada's privacy commissioner is teaming up with his U.K. counterpart to investigate a data breach discovered last year at genetic testing company 23andMe.

Nearly 7 million 23andMe customers impacted by data breach last year

Two people buy kits at a booth labelled "23andMe" at a tech conference.
Two people purchase DNA kits at the 23andMe booth at the RootsTech annual genealogical event in Salt Lake City, Utah, on Feb. 28, 2019. Canada's privacy commissioner is teaming up with his U.K. counterpart to investigate a data breach discovered last year at 23andMe. (George Frey/Reuters)

Canada's privacy commissioner is teaming up with his U.K. counterpart to investigate a data breach discovered last year at 23andMe.

Philippe Dufresne's office says the joint investigation with U.K. Information Commissioner John Edwards will aim to determine the scope of the October 2023 breach at the direct-to-consumer genetic testing company.

They will also look into whether 23andMe had proper safeguards to protect the highly sensitive information it handled and whether the company adequately notified regulators and affected individuals about the breach.

Dufresne's office says it will work closely with counterparts in Quebec, B.C. and Alberta to carry out the Canadian portion of the investigation and will not be commenting further.

23andMe is best known for selling testing kits that take a small saliva sample to uncover genetic information about customers, including details about their health, ethnicity and biological relationships.

In a statement, 23andMe spokesman Andy Kill said the company is aware of the joint investigation.

"We intend to co-operate with these regulators' reasonable requests relating to the credential stuffing attack discovered in October 2023," he said.

The company told media outlets last December that roughly 6.9 million 23andMe customers had their data compromised in a breach.

LISTEN | How hackers tried to sell 23andMe data: 

Proposed class-action lawsuit over 23andMe data breach

12 months ago
Duration 1:57
The genetic testing company 23andMe says hackers gained access to the profiles of millions of its users in October. Now, some customers are involved in a proposed class-action lawsuit against the company.

"In the wrong hands, an individual's genetic information could be misused for surveillance or discrimination," Dufresne said in a news release.

"Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world."