23andMe, the California-based company which sells DNA testing kits to help people learn about their ancestry and potential health risks, is facing scrutiny from British and Canadian data protection authorities following a security breach that saw hackers compromise the personal data of nearly seven million users.
As we have previously reported, hackers published the data about millions of 23andMe users on a cybercrime forum in October 2023, exposing users' full names, profile photos, dates of birth, sex, geographic location, and genetic ancestry details.
Hackers were able to break into the accounts of users in a credential-stuffing attack that took advantage of those users who had made the mistake of using the same password on 23andMe that they had used on other sites.
However, the security breach was made much worse when the hackers used a 23andMe feature called "DNA Relatives" to scrape the details of other 23andMe users who had not made the password blunder.
The UK's Information Commissioner's Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) are now conducting a joint investigation into the security incident, hoping to determine its scope, assess the potential harm caused to individuals, and evaluate if 23andMe had adequate safeguards in place to protect sensitive information.
There will also be a probe into whether 23andMe properly notified data regulators and affected users about the serious security breach. As previously discussed, the implications of a DNA data leak can be considerable.
"In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination," said Philippe Dufresne, Canada's privacy commissioner.
23andMe has said it will co-operate with the investigation, but has continued to put the focus of blame on users who had reused login credentials.
In the wake of the breach, all 23andMe users were told to reset their passwords "out of caution," reminded to never reuse their passwords, and encouraged to enable multi-factor authentication.
Since last October's data breach, 23andMe has performed dismally as a company. In the wake of more than 30 lawsuits, the company which used to be valued at $6 billion now has a share price worth pennies, and it risks being delisted from the Nasdaq stock exchange. Some have suggested that 23andMe's precarious financial condition may mean it is imminent danger of bankruptcy.
Which, in itself, raises an important question. 23andMe's greatest asset is its DNA database. Who might end up buying that, and how much care will they take to ensure that the highly sensitive data is not mishandled or abused?