UK and Canada’s data chiefs join forces to investigate 23andMe mega-breach

The data protection watchdogs of the UK and Canada are teaming up to hunt down the facts behind last year’s 23andMe data breach.

The two-dog wolfpack of the Information Commissioner’s Office (ICO) and Office of the Privacy Commissioner of Canada (OPC) will look at whether the biotech biz’s breach caused any customer harm, whether the appropriate safeguards were in place to prevent the incident, and if they were adequately candid with regulators at the time.

John Edwards, UK Information Commissioner, said: “People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. 

“This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

Edwards’ counterpart Philippe Dufresne, the Privacy Commissioner of Canada, echoed those words: “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”

The breach at the genetics and long-lost-family-finder was one of the year’s more shocking incidents, with the number of affected individuals rising to nearly 7 million after months of investigations.

It also came to light that the company failed to detect the attackers’ activity for five months, only becoming aware of a breach after seeing a Reddit post about the data being stolen, rather than its own internal cyber sleuths picking up on the intrusion.

The cybercriminal using the alias “Golem” posted the data to BreachForums, seemingly targeting Ashkenazi Jewish customers of 23andMe.

Golem also went on to make a string of anti-semitic statements and allegations against European politicians, as well as various comments referencing Zionism.

Whoever was behind the attack only actually broke into 14,000 accounts, however, the wide-scale opting-in to the platform’s DNA Relatives feature – which allows users to browse others with whom they may be related – meant millions of users’ data was ultimately accessed.

The many different possible configurations of 23andMe’s granular account privacy controls meant that the crims were able to access varying degrees of data on affected users. From the basic profile information you’d expect to be included in a breach, to family trees and what chromosomes match to which relative, there was the potential for some highly sensitive information to be stolen.

23andMe also took the curious step of blaming their own customers’ poor security habits for allowing the breach to unfold – a bold PR move, for sure, and one we don’t often see, perhaps for good reason.

A fierce debate ensued with infoseccers piling in on the biotech company for what some believed to be wayward comms that reeked of victim-blaming. One PR expert told El Reg at the time that the company’s response “missed the mark completely.”

Others, meanwhile, supported the move, saying user negligence was indeed the reason for the breach.

Those responsible for the attack used credential stuffing methods to gain access to the circa 14,000 accounts. It’s not always the easiest thing to pick up on given that valid credentials are used to log into accounts, but there are ways to detect and prevent it, such as deploying 2FA/MFA, and that undoubtedly will be one of the first questions regulators ask as the investigation gets underway.

23andMe only enabled 2FA by default on accounts in November 2023, a month after the breach first took place, which regulators may deem to have been one guardrail installed too late in the day.

The ICO and OPC said no further comment will be made about 23andMe until the investigation is over.

A spokesperson for 23andMe sent a statement to The Register: “23andMe acknowledges the joint investigation announced by the Privacy Commissioner of Canada and the UK Information Commissioner today. We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023.” ®

READ MORE HERE