Genetic testing firm 23andMe investigated over hack

The logo of 23andMe on a sign outside an office buildingImage source, Getty Images
  • Published

The data watchdogs of the UK and Canada will investigate genetic testing company 23andMe over a data breach in October 2023.

Hackers gained access to personal information of 6.9 million people, which in some cases included family trees, birth years and geographic locations, by using customers' old passwords.

One of the things the joint taskforce will investigate is whether adequate safeguards had been put in place to protect such data.

"We intend to cooperate with these regulators’ reasonable requests," 23andMe said in a statement.

The data stolen in October did not include DNA records.

23andMe is a giant of the growing ancestor-tracing industry, offering genetic testing from DNA, with ancestry breakdown and personalised health insights.

The company was not hacked itself - but rather criminals logged into about 14,000 individual accounts, or 0.1% of customers, by using email and password details previously exposed in other hacks.

The criminals downloaded not just the data from those accounts but the private information of all other users they had links to across the family trees on the website.

At the time, 23andMe said it informed affected customers and made them change their passwords and update account security.

According to the UK Information Commissioner's Office (ICO), the data stored by 23andMe "can reveal information about an individual and their family members, including about their health, ethnicity, and biological relationships".

It said this means it is "essential" for the public to trust the service.

The joint investigation between the data watchdogs will look at the size of the hack and its potential harm to users as well as whether adequate safeguards were in place.

It will also look into how 23andMe reported the breach, and if the firm followed the correct processes in the UK and Canada.

"In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination," said Canada privacy commissioner Philippe Dufresene.