Genetic testing company 23andMe is currently under investigation by the UK’s Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) for a data breach that occurred in October 2023.


Headquartered in the United States, 23andMe experienced a data breach in October 2023, affecting over 12 million customers who had purchased DNA testing kits since 2006. The breach exposed ancestry information for 6.9 million individuals [10], including personal details such as family history, birth dates [3], genetic data [1] [2] [4] [7] [11] [12], names [12], birth years [6] [9] [12], relationship labels [12], DNA shared with relatives [12], ancestry reports [12], and self-reported locations [12]. Hackers gained unauthorized access through a credential stuffing attack, compromising profile information for half of 23andMe’s 14 million users [10]. However, financial data was not compromised. 23andMe attributed the breach to customers’ negligence in recycling and not updating their passwords after previous security incidents. The ICO and OPC have initiated a joint investigation to assess the breach’s extent, evaluate safeguards for protecting personal information [5], and review notification procedures [1] [10] [12].


The investigation by the ICO and OPC underscores the importance of trust in organizations handling sensitive data, such as genetic information [8]. Regulators will evaluate the breach’s impact, potential harms to affected individuals, 23andMe’s data protection measures [11], and notification practices [1] [3] [4] [10] [11] [12]. This joint investigation demonstrates a commitment to cross-border collaboration in safeguarding individuals’ privacy rights and highlights the international repercussions of data breaches. 23andMe has acknowledged the investigation and pledged to cooperate with regulators, emphasizing the need for improved security measures and vigilance in protecting personal information.