Privacy authorities in Canada and the United Kingdom have joined forces to conduct a thorough investigation into the 2020 data breach that impacted genetic testing provider 23andMe. The Privacy Commissioner of Canada and The Information Commissioner's Office (ICO) are collaborating to assess the extent of the breach and determine if adequate security safeguards were in place to protect customer data.

The joint investigation will focus on evaluating the scope of sensitive customer information that was exposed as a result of the breach. Concerns about potential misuse of this genetic data for surveillance or discrimination have raised alarm bells among privacy authorities both within Canada and globally.

Privacy Commissioner of Canada, Philippe Dufresne, emphasized the importance of protecting personal information from malicious actors, stating, "Ensuring that personal information is adequately protected against attacks is an important focus for privacy authorities." UK Information Commissioner John Edwards echoed this sentiment, emphasizing the need for organizations to maintain the trust of individuals by implementing robust security measures.

In January, 23andMe confirmed that attackers had gained unauthorized access to health reports and raw genotype data during a five-month credential-stuffing attack. The breach occurred from April 29 to September 27 and involved the use of stolen credentials from other data breaches or compromised online platforms to breach 23andMe accounts.

Upon detecting the breach on October 10, 23andMe promptly enforced a password reset for all customers. Furthermore, two-factor authentication has been enabled by default for both new and existing customers since November 6.

Information disclosed in breach notification letters revealed that some stolen data had been posted on the BreachForums hacking forum and the unofficial 23andMe subreddit. The breach impacted approximately 4.1 million people in the United Kingdom and 1 million Ashkenazi Jews.

According to 23andMe, the threat actors managed to download data for 6.9 million out of the company's 14 million customers by breaching 14,000 user accounts. Approximately 5.5 million individuals had their data scraped through the DNA Relatives feature, and 1.4 million were affected via the Family Tree feature.

The breach has led to multiple lawsuits filed against 23andMe, prompting the company to update its Terms of Use on November 30. The amendments aim to make it more challenging for customers to join class-action lawsuits. However, 23andMe explained that the changes were made to enhance the efficiency and accessibility of the arbitration process.

The joint investigation by Canadian and UK privacy authorities aims to ensure that such incidents are prevented in the future and that the personal information of individuals in both countries is safeguarded. As the investigation progresses, it will shed light on the measures taken by 23andMe and determine if any legal or regulatory actions are necessary to protect consumer data privacy.