ICO investigates 23andMe data breach

The Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) launches joint investigation into October 2023 data breach at genetic testing company 23andMe.

Some 14m people are thought to have used 23andMe’s service to learn more about their ancestry. In return for a sample of saliva (and a fee), they received a report on their genetic heritage. This can be fascinating and insightful – but it’s also highly sensitive, personal data.

person standing near LED sign

Photo by Max Bender

Such data can provide a wealth of information about an individual and their family members, such as their ethnicity, health and biological relationships.

In October last year, news broke that hackers had gained access to some of this data, including ‘uninterrupted raw genotype data’, as well as reports on predisposition to various conditions and on carrier status. The company later confirmed that hackers had accessed the accounts of 14,000 users over a period of five months. Other personal information of up to 5.5m customers had also been accessed.

Earlier this year, the Guardian reported on claims by some of the affected customers, who said that genetic information, including their Ashkenazi Jewish heritage, had been placed in ‘specially curated lists’ offered for sale on the dark web. The implication is that ethnic groups have been targeted as part of the attack.

Now, a joint investigation of the 23andME breach is being undertaken by UK Information Commissioner John Edwards and Privacy Commissioner of Canada Philippe Dufresne, as part of the regulators’ wider commitment to protect individuals’ fundamental right to privacy. Data protection and privacy legislation enables authorities in Canada and UK to collaborate on matters where they impact across the two jurisdictions.

John Edwards, UK Information Commissioner, says: ‘People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.’

Philippe Dufresne, Privacy Commissioner of Canada, adds: ‘In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.’

While the investigation is ongoing, no further comment will be made.

In related news:

Medical students drafted to help London hospitals recover from cyber attack

HMRC backtrack shows UK public service delivery still needs human support

Skills gaps leave government departments in weak buyer position


Leave a Reply

Your email address will not be published. Required fields are marked *

Help us break the news – share your information, opinion or analysis
Back to top