Genetic testing company 23andMe investigated the hack

Data watchdogs in the UK and Canada will investigate genetic testing company 23andMe over a data breach in October 2023.

The hackers were able to access the personal information of 6.9 million people, which in some cases included family trees, birth years and geographic locations, using customers’ old passwords.

One of the things the joint task force will investigate is whether adequate safeguards have been put in place to protect this data.

“We intend to cooperate with the reasonable requests of these regulators,” 23andMe said in a statement.

The data stolen in October did not include DNA records.

23andMe is a giant in the growing ancestry tracing industry, offering DNA genetic testing, with ancestry details and personalized health insights.

The company itself was not hacked, but rather the criminals logged into about 14,000 individual accounts, or 0.1% of customers, using email and password details previously exposed in other hacks.

The criminals not only downloaded data from those accounts, but also the private information of all other users they had links to through family trees on the site.

At the time, 23andMe said it notified affected customers and had them change their passwords and update account security.

According to the UK Information Commissioner’s Office (ICO), data stored by 23andMe “could reveal information about the individual and members of their household, including information about their health, ethnicity and biological relationships.”

She said this meant it was “essential” for the public to trust the service.

The joint investigation between data watchdogs will look into the scale of the breach and the potential harm it could cause to users, as well as whether there are adequate safeguards.

It will also look into how 23andMe reported the hack, and whether the company followed the correct processes in the UK and Canada.

“In the wrong hands, an individual’s genetic information can be misused for the purposes of surveillance or discrimination,” said Canadian Privacy Commissioner Philippe Dufresne.