Canada & UK Partner in Joint 23andMe Data Breach Investigation

Authorities in Canada and the UK have launched a joint investigation into a 23andMe data breach that occurred last October. 

That's when a threat actor posted on the Dark Web claiming possession of 23andMe profile information, ultimately releasing roughly 4 million company records. 23andMe launched an investigation, discovering that the breach was a credential-stuffing attack that affected around 7 million people.

The discovery of the attack led the company to blame the victims of the breach, saying they were negligent in reusing their passwords that had previously been exposed in past data breaches.

The joint investigation now seeks to protect the "fundamental right to privacy of individuals across jurisdictions," as 23andMe is considered to be "a custodian of highly sensitive personal information" such as genetic history, health, ethnic background, and biological relationships. 

The countries will investigate the scope of the breached information, whether 23andMe had safeguards in place to protect that sensitive information, and whether the notifications the company provided to the regulators was adequate.

"People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place," said UK Information Commissioner John Edwards. "This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Edwards and Canadian Privacy Commissioner Philippe Dufresne will be jointly investigating the breach.