Canada’s privacy commissioner is teaming up with his U.K. counterpart to investigate a data breach discovered last year at 23andMe.
Philippe Dufresne’s office says the joint investigation with U.K. Information Commissioner John Edwards will aim to determine the scope of the October 2023 breach at the direct-to-consumer genetic testing company.
They will also look into whether 23andMe had proper safeguards to protect the highly sensitive information it handled and whether the company adequately notified regulators and affected individuals about the breach.
Dufresne’s office says it will work closely with counterparts in Quebec, B.C. and Alberta to carry out the Canadian portion of the investigation and will not be commenting further.
23andMe is best known for selling testing kits that take a small saliva sample to uncover genetic information about customers, including details about their health, ethnicity and biological relationships.
In a statement, 23andMe spokesman Andy Kill said the company is aware of the joint investigation.
“We intend to co-operate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023,” he said.
The company told media outlets last December that roughly 6.9 million 23andMe customers had their data compromised in a breach.
“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination,” Dufresne said in a news release.
“Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”