Privacy authorities in Canada and the United Kingdom have launched a joint investigation to assess the extent of sensitive customer information exposed in the 23andMe data breach. | Photo source: Reuters
Privacy authorities in Canada and the UK have launched a joint investigation to assess the scope of sensitive customer information exposed in last year’s 23andMe data breach
The Canadian Privacy Commissioner and the Information Commissioner’s Office (ICO) said they will review whether the company has appropriate safeguards in place to secure customer data stored on its systems, according to a report by Bleeping Computer.
The investigation will also focus on whether the company notified affected individuals and regulators as required under Canadian and UK privacy and data protection laws.
The data breach occurred last January, when 23andMe confirmed that attackers stole health reports and raw genotype data from affected customers in a five-month-long credential spoofing attack. The attackers used credentials stolen from other data breach sources or compromised online platforms to compromise 23andMe accounts.
(For the top tech news of the day, sign up for our Today’s Cache tech newsletter)
At that time, the company issued a notice requiring customers to reset their passwords. Later, the company also enabled two-factor authentication by default for all recent and existing customers. The leaked information included details of 4.1 million people living in the UK and 1 million Ashkenazi Jews.
The breach resulted in multiple lawsuits filed against 23andMe, forcing the company to update its Terms of Exploit, making it more challenging for users to join class action lawsuits. However, the company said this was introduced to make the arbitration process more proficient and accessible to customers.
