The data stolen in October did not include DNA records.
23andMe is a giant of the growing ancestor-tracing industry, offering genetic testing from DNA, with ancestry breakdown and personalised health insights.
The company was not hacked itself – but rather criminals logged into about 14,000 individual accounts, or 0.1% of customers, by using email and password details previously exposed in other hacks.
The criminals downloaded not just the data from those accounts but the private information of all other users they had links to across the family trees on the website.
At the time, 23andMe said it informed affected customers and made them change their passwords and update account security.
According to the UK Information Commissioner’s Office (ICO), the data stored by 23andMe “can reveal information about an individual and their family members, including about their health, ethnicity, and biological relationships”.
It said this means it is “essential” for the public to trust the service.
The joint investigation between the data watchdogs will look at the size of the hack and its potential harm to users as well as whether adequate safeguards were in place.
It will also look into how 23andMe reported the breach, and if the firm followed the correct processes in the UK and Canada.
“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination,” said Canada privacy commissioner Philippe Dufresene.
source: https://www.bbc.com/news/articles/c3gg17pq5y9o
