Privacy authorities in Canada and the United Kingdom have launched a joint investigation to assess the scope of sensitive customer information exposed in last year’s 23andMe data breach
The Privacy Commissioner of Canada and The Information Commissioner’s Office (ICO) said they will look into whether the company had adequate safeguards to secure customer data stores on its systems, a report from Bleeping Computer said.
The investigation will also focus on examining if the company alerted affected individuals and the privacy regulators required under Canadian and UK privacy and data protection laws.
The data breach occurred in January last year when 23andMe confirmed that attackers stole health reports and raw genotype data of affected customers in a five-month credential stuffing attack. Attackers used credentials stolen from other data breaches or compromised online platforms to breach 23andMe accounts.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
At the time the company issued a notification requiring customers to reset their passwords. Later, the company also enabled two-factor authentication by default for all new and existing customers. The leaked information included data of 4.1 million people living in the United Kingdom and 1 million Ashkenazi Jews.
The breach prompted multiple lawsuits filed against 23andMe prompting the company to update its Terms of use making it difficult for users to join class action lawsuits. However, the company said this was done to make the arbitration process more efficient and accessible for customers to understand.