.png?width=1816&height=566&name=brandmark-design%20(83).png "brandmark-design (83)")
On 10 June 2024, UK and Canadian watchdogs launched a joint investigation into the critical data breach at 23andMe, the worldwide DNA testing company. The Information Commissioner's Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) announced they are examining an incident from October 2023.
23andMe, a US-based genetics company, analyzes customers' DNA through home saliva collection kits, offering insights into health and ancestry. Since 2006, the company has sold over 12 million DNA testing kits.
On October 6, 2023, 23andMe disclosed in a quite ambiguous blog post that cybercriminals had infiltrated specific user accounts and accessed sensitive information. Hackers used a technique called credential stuffing, leveraging passwords stolen from other sites to gain access to 23andMe accounts. After infiltrating these accounts, the hackers exploited the "DNA Relatives" feature, which connects users with similar genetic profiles to build family trees.
"The threat actor was able to access less than 0.1%, or roughly 14,000 user accounts, of the existing 14 million 23andMe customers through credential stuffing. The threat actor used the compromised credential stuffed accounts to access the information included in a significant number of DNA Relatives profiles (approximately 5.5 million) and Family Tree feature profiles (approximately 1.4 million), each of which were connected to the compromised accounts." (23andMe Blog)
Initially, 23andMe blamed the data breach on users' poor security practices, an unusual PR move that elicited reactions from amusement to anger. Some critics went as far as calling it victim blaming, though some noted that users could have used stronger security measures like 2FA. Hackers used 'credential stuffing' to access about 14,000 accounts, a method that's hard to detect, so this will be a main focus for regulators, especially since 23andMe only made 2FA mandatory in November 2023, after the breach occurred. Prior to that, 2FA was optional. The ICO and OPC have declined to comment until their investigation is finished, and 23andMe has said they will cooperate with the investigation into the October 2023 credential stuffing attack.
Commenting on the scope of the investigation, John Edwards, UK Information Commissioner, declared that “People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”
The investigation aims to assess the extent of the compromised data and its potential impact on affected individuals. It will also scrutinize the adequacy of 23andMe's security measures to protect sensitive information and review whether 23andMe provided timely and adequate notifications to both the affected individuals and the relevant authorities in compliance with Canadian and UK privacy laws.
Genetic data is deeply personal and immutable, unlike a credit card number or email address. It can disclose private health information, biological details, and paternity information for customers and their relatives. This data is susceptible and, if misused, could result in discrimination and substantial harm. It is an area that warrants significant regulatory attention and must be subject to rigorous scrutiny.
Beyond health and ancestry insights, genetic data includes markers that could be used for identity theft or fraudulent activities. The combination of genetic and personal information (names, addresses, etc.) can create highly attractive comprehensive profiles for cybercriminals.
Although 23andMe has taken steps to mitigate the immediate risks, the breach represents systemic issues in the security practices of companies handling sensitive data. It raises questions about the adequacy of existing safeguards and the need for more proactive measures to prevent such breaches. As UK and Canadian regulators probe the incident, the onus is on companies to strengthen their security frameworks and adopt proactive measures against cyber threats.
