23andMe data breach under ICO investigation: What it means for you

The UK’s Information Commissioner’s Office (ICO) will investigate 23andMe over its recent data breach. This means the data watchdog thinks the genetic testing company has questions to answer over how it handled its customer’s private data.  

The investigation is good news for people who have joined a legal action against 23andMe, as it will help establish exactly what happened.

What do we know about the 23andMe data breach?

In October 2023, hackers accessed the accounts of around 14,000 23andMe customers.` Here’s what we know so far:  

• The criminals used emails and passwords stolen in other breaches to login to the accounts of some 23andMe customers 

• The security failure exposed a range of sensitive data 

• 23andMe blamed its users for the security violation 

• 23andMe has a feature called ‘DNA Relatives’ that lets people share data with users they are related to. The hackers exploited this to access the data of around seven million people. 

The ICO will work alongside its Canadian counterpart, the Office of the Privacy Commissioner of Canada (OPC). Together, they will look at: 

• The scope of information that was exposed by the breach 

• The potential harm to affected people 

• Whether 23andMe had adequate safeguards to protect the highly sensitive information within its control 

• Whether the company provided adequate notification about the breach to the two regulators and affected people as required under Canadian and UK data protection laws. 

Are you affected by the 23andMe data hack?