Biotech company 23andMe is under investigation by UK and Canadian data protection watchdogs over a hack that occurred in 2023.
23andMe offers DNA analysis of saliva samples submitted by its customers.
Go deeper with GlobalData
In a filing on 1 October 2023, 23andMe first confirmed that a bad actor had claimed to have the DNA data of seven million of its users.
23andMe stated that it immediately launched an investigation into the claim using third-party incident response experts.
The UK Information Commissioner’s Office (ICO) stated that it would be investigating the scope of sensitive information leaked by the hack and the level of security 23andMe used to protect its customers data.
The investigation will run alongside a similar investigation by Canada’s Privacy Commissioner.
The ICO will also investigate whether 23andMe provided enough information about the hack to both data watchdogs as required by UK and Canadian law.
In a statement, the ICO explained that 23andMe was the custodian of highly sensitive genetic data that can provide information on a person’s ethnicity, familial relationships and health which does not change over time.
Canada’s Privacy Commissioner, Philippe Dufresne, explained that the data could be used by bad actors to discriminate against 23andMe’s customers or for surveillance.
The sensitive nature of this data, stated the ICO, requires 23andMe to harbour public trust with its customers.
“People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place,” said UK Information Commissioner John Edwards.
“This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected,” Edwards added.
