Skip to main contentSkip to navigationSkip to navigation
Headquarters of 23andMe in Mountain View, California
23andMe said it intended to cooperate regulators’ requests after the hack. Photograph: Kristoffer Tripplaar/Alamy
23andMe said it intended to cooperate regulators’ requests after the hack. Photograph: Kristoffer Tripplaar/Alamy

Genetic testing company 23andMe investigated over hack that hit 7m users

This article is more than 5 months old

Data watchdogs in UK and Canada to look at whether there were enough safeguards on personal information

The California genetic testing company 23andMe faces investigations by the data watchdogs of the UK and Canada over a security breach affecting nearly 7 million people last October.

Hackers who broke into the site gained access to personal information by using customers’ old passwords. In some cases the information accessed included family trees, birth years and geographic locations.

The San Francisco-based company analyses its customers’ DNA through a saliva sample to provide insights into health and ancestry, and has sold more than 12m DNA testing kits since it was set up in 2006, according to its website.

The UK’s Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) have launched a joint investigation into the data breach, the ICO said.

It will examine the scope of information that was exposed by the breach and potential harms to affected people; whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and whether the company provided adequate notification about the breach to the two regulators and affected people, as required under Canadian and UK data protection laws.

“We intend to cooperate with these regulators’ reasonable requests,” 23andMe said in a statement.

A 23andMe spokesperson previously told the Guardian that the company did not “detect a breach” within 23andMe systems and instead attributed the incident to compromised recycled login credentials from certain users.

Hackers initially accessed the personal data of 0.1% of customers – or about 14,000 individuals, which enabled them to access other people’s information because of an opt-in feature that allows DNA-related relatives to contact each other, so the true number of people exposed was 6.9 million. This was just less than half of 23andMe’s 14 million reported customers.

23andMe sells DNA testing kits starting from £79 for an “ancestry service” – “learn more about who you are” – and £129 for a “health and ancestry service” – “better understand how genetics impact your health”.

skip past newsletter promotion

The UK information commissioner, John Edwards, and the privacy commissioner of Canada, Philippe Dufresne, will investigate the 23andMe breach jointly.

Edwards said: “People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Dufresne said: “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

More on this story

More on this story

  • Alder Hey children’s hospital explores ‘data breach’ after ransomware claims

  • Chinese hackers collected audio from Trump campaign adviser’s calls – report

  • Chinese believed to have targeted Trump’s and Vance’s phones in US telecommunications breach

  • Russia’s FSB protected Evil Corp gang that carried out Nato cyber-attacks

  • Justice department charges Iranian operatives in Trump campaign hack

  • Russia accused of trying to influence US voters through online campaign

  • The good hacker: can Taiwanese activist turned politician Audrey Tang detoxify the internet?

  • Russia’s AI tactics for US election interference are failing, Meta says

  • Kamala Harris campaign says it was targeted by foreign hackers

  • Sellafield apologises after guilty plea over string of cybersecurity failings

Most viewed

Most viewed