HQ/EMEAFind out how we can help your business
The Canadian and United Kingdom cybersecurity authorities have initiated a joint investigation to determine the extent to which sensitive customer information was exposed in last year’s 23andMe hack.
The combined investigation will also examine whether 23andMe notified affected individuals and privacy regulators as required under Canadian and UK privacy and data protection laws.
These cybersecurity authorities emphasised the importance of such requirements as the compromised information could lead to unwanted events if it landed in the wrong hands. Additionally, they reminded organisations to ensure that their stored personal information is adequately protected against attacks by malicious actors.
The UK Information Commissioner also explained that people should ensure that an organisation has the appropriate security solutions before they give it responsibility for handling their most sensitive personal information.
23andMe reported the data breach incident earlier this year.
Genetic testing company 23andMe reported that threat actors acquired health reports and raw genotype data from affected users during a five-month credential-stuffing campaign that lasted from April 29 to September 27.
Initial investigations revealed that the attackers used credentials acquired from previous data breaches or compromised websites to access 23andMe accounts.
After detecting the intrusion in October last year, 23andMe started forcing all consumers to reset their passwords. Since November 6, the company has decided to implement a 2FA feature for all new and current customers.
The company stated that some stolen data was uploaded to the BreachForums hacking forum and the unofficial 23andMe subreddit in the data breach notification emails and letters sent to affected individuals. The hacked data included the personal information of 4.1 million UK residents and 1 million Ashkenazi Jews.
In December, the company also revealed that the threat actors had downloaded data for 6.9 million of its 14 million clients after accessing approximately 14,000 user accounts. However, the hackers have scraped the data of about 5.5 million people using the DNA Relatives tool, while 1.4 million used the Family Tree option.
Due to the incident, the company faced various lawsuits, which caused it to modify its Terms of Service to make it more difficult for customers to join class action lawsuits.
