Canadian and British privacy regulators are together probing the global data breach of the genetic testing company 23andMe, authorities in the two countries announced Monday. A breach discovered in October 2023 exposed the genetic data of at least 5 million users of the direct-to-consumer genetic testing company. Privacy Commissioner of Canada Philippe Dufresne and U.K. Information Commissioner John Edwards said their offices will jointly investigate in order to augment their individual efforts. The probe will focus on how much information was exposed and how it harmed victims; whether 23andMe adequately protected the highly sensitive genetic data; and whether the company appropriately alerted the two regulators as well as victims under each country’s data protection laws. “People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place,” Edwards said in a statement. “This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.” It remains unclear if federal authorities in the U.S. are investigating the breach. In November, Connecticut Attorney General William Tong sent a blistering letter to 23andMe questioning whether it had violated the state’s data privacy law. Much of the genetic information leaked on the dark web appeared to specifically focus on people of Ashkenazi Jewish descent and Chinese ancestry, a fact Tong called “particularly dangerous.” 23andMe had not alerted the state to the breach within the 60 days required by state law, Tong said. The Office of the Privacy Commissioner of Canada enforces that country’s Privacy Act. In the U.K., the Information Commissioner’s Office (ICO) regulates data protection and information rights.
Get more insights with the
Recorded Future
Intelligence Cloud.