June 11, 2024 at 04:54PM
Canada and the UK are conducting a joint investigation into a 23andMe data breach after a threat actor posted 4 million company records on the Dark Web. 23andMe confirmed the breach affected 7 million people due to a credential-stuffing attack. The investigation aims to protect individuals’ privacy rights and scrutinizes the breached information’s scope, safeguards, and notification adequacy.
The authorities in Canada and the UK have initiated a joint investigation into the 23andMe data breach that took place last October. The breach involved a threat actor claiming to possess 23andMe profile information and releasing approximately 4 million company records. Subsequent investigation by 23andMe revealed that it was a credential-stuffing attack that impacted around 7 million individuals.
In response to the attack, 23andMe seemingly placed blame on the victims, asserting that they were negligent in reusing passwords previously exposed in data breaches. The joint investigation aims to uphold the privacy rights of individuals across borders, as 23andMe is seen as a custodian of highly sensitive personal data related to genetic history, health, ethnicity, and biological relationships.
The investigation will encompass examining the extent of the breached information, evaluating 23andMe’s security measures for safeguarding this sensitive data, and assessing the adequacy of the notifications provided by the company to regulatory bodies.
UK Information Commissioner John Edwards emphasized the importance of organizations having appropriate security measures in place for handling individuals’ most sensitive personal data, expressing a commitment to collaborating with Canadian counterparts to ensure the protection of personal information in the UK.
Both Edwards and Canadian Privacy Commissioner Philippe Dufresne will be jointly conducting the investigation into the breach.