Who: 23andMe, a genetic testing company, and the privacy authorities of Canada and the United Kingdom.
What: A joint investigation by the Privacy Commissioner of Canada and the UK Information Commissioner’s Office (ICO) is examining the scope and response to a data breach at 23andMe. The breach exposed sensitive genetic and personal information of millions of customers due to a credential-stuffing attack. The investigation will assess whether 23andMe had adequate safeguards in place and if they complied with notification requirements.
Impact: The breach compromised data of 6.9 million out of 14 million customers, with 4.1 million UK residents and 1 million Ashkenazi Jews affected. The data included health reports and raw genotype information, raising concerns about potential misuse for surveillance or discrimination. Multiple lawsuits have been filed, and 23andMe has updated its Terms of Use to address arbitration processes. The investigation aims to ensure that sensitive personal information is adequately protected and that organizations handling such data maintain appropriate security measures.
Read the full article HERE