The data protection authorities of the UK and Canada are set to investigate the genetic testing company 23andMe following a significant data breach in October 2023. Hackers accessed personal information of 6.9 million individuals, including family trees, birth years, and geographic locations, by exploiting old passwords of customers.

The joint taskforce will scrutinize whether 23andMe had implemented sufficient safeguards to protect this sensitive information. In a statement, 23andMe expressed its intention to fully cooperate with the regulators' reasonable requests.

It is important to note that the stolen data did not include DNA records. The breach affected approximately 14,000 individual accounts, or 0.1% of 23andMe's customer base. Hackers used email and password details previously exposed in other breaches to log into these accounts. Once inside, they downloaded not only the data from these accounts but also the private information of other users connected through the website's family trees.

Following the breach, 23andMe informed the affected customers, prompting them to change their passwords and update their account security measures.

The UK Information Commissioner's Office (ICO) highlighted the significance of the data stored by 23andMe, which can reveal extensive information about an individual's health, ethnicity, and biological relationships. The ICO emphasized the need for public trust in such services, given the potential for misuse of genetic information.

The joint investigation will examine the extent of the hack, its potential harm to users, and the adequacy of the security measures that were in place. Additionally, it will assess how 23andMe reported the breach and whether the company adhered to the correct procedures in the UK and Canada.

Canada's Privacy Commissioner Philippe Dufresne remarked on the potential risks associated with genetic information, noting that in the wrong hands, it could be misused for surveillance or discrimination.