Biotech company 23andMe is under investigation by UK and Canadian data protection watchdogs over a hack that occurred in 2023

23andMe offers DNA analysis of saliva samples submitted by its customers. 

In a filing on 1 October 2023, 23andMe first confirmed that a bad actor had claimed to have the DNA data of seven million of its users.  

23andMe stated that it immediately launched an investigation into the claim using third-party incident response experts.   

The UK Information Commissioner’s Office (ICO) stated that it would be investigating the scope of sensitive information leaked by the hack and the level of security 23andMe used to protect its customers data.  

The investigation will run alongside a similar investigation by Canada’s Privacy Commissioner. 

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

The ICO will also investigate whether 23andMe provided enough information about the hack to both data watchdogs as required by UK and Canadian law. 

In a statement, the ICO explained that 23andMe was the custodian of highly sensitive genetic data that can provide information on a person’s ethnicity, familial relationships and health which does not change over time. 

Canada’s Privacy Commissioner, Philippe Dufresne, explained that the data could be used by bad actors to discriminate against 23andMe’s customers or for surveillance. 

The sensitive nature of this data, stated the ICO, requires 23andMe to harbour public trust with its customers. 

“People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place,” said UK Information Commissioner John Edwards. 

“This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected,” Edwards added.