{"id":24664,"date":"2024-06-11T04:10:53","date_gmt":"2024-06-11T12:10:53","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/06\/11\/news-18394\/"},"modified":"2024-06-11T04:10:53","modified_gmt":"2024-06-11T12:10:53","slug":"news-18394","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/06\/11\/news-18394\/","title":{"rendered":"23andMe data breach under joint investigation in two countries"},"content":{"rendered":"\n<p>The British and Canadian privacy authorities have <a href=\"https:\/\/www.priv.gc.ca\/en\/opc-news\/news-and-announcements\/2024\/an_240610b\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">announced<\/a> they will undertake a joint investigation into the data breach at global genetic testing company 23andMe that was <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/10\/23andme\">discovered<\/a> in October 2023.<\/p>\n<p>On Friday October 6, 2023, 23andMe confirmed via a somewhat opaque <a href=\"https:\/\/blog.23andme.com\/articles\/addressing-data-security-concerns\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">blog post<\/a> that cybercriminals had \u201cobtained information from certain accounts, including information about users\u2019 DNA Relatives profiles.\u201d<\/p>\n<p>Later, an investigation by 23andMe showed that an attacker was able to directly access the accounts of roughly 0.1% of 23andMe\u2019s users, which is about 14,000 of its 14 million customers. The attacker accessed the accounts using credential stuffing which is where someone tries existing username and password combinations to see if they can log in to a service. These combinations are usually stolen from another breach and then put up for sale on the dark web. Because people often reuse passwords across accounts, cybercriminals buy those combinations and then use them to login on other services and platforms.<\/p>\n<p>For a subset of these accounts, the stolen data contained health-related <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/12\/23andme-says-er-actually-some-genetic-and-health-data-might-have-been-accessed-in-recent-breach\">information based on the user\u2019s genetics.<\/a><\/p>\n<p>The finding that most data was accessed through credential stuffing led to 23andMe sending a letter to legal representatives of victims <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2024\/01\/23andme-blames-negligent-breach-victims-says-its-their-own-fault\">blaming the victims themselves<\/a>.<\/p>\n<p>Privacy Commissioner of Canada Philippe Dufresne and UK Information Commissioner John Edwards say they will investigate the 23andMe breach jointly, leveraging the combined resources and expertise of their two offices.<\/p>\n<p>The privacy watchdogs are going to investigate:<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<ul>\n<li>the scope of information that was exposed by the breach and potential harms to affected individuals;<\/li>\n<li>whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and<\/li>\n<li>whether the company provided adequate notification about the breach to the two regulators and affected individuals as required under Canadian and UK privacy and data protection laws.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/li>\n<\/ul>\n<\/blockquote>\n<p>The joint investigation will be conducted in accordance with the&nbsp;<a href=\"https:\/\/www.priv.gc.ca\/en\/about-the-opc\/what-we-do\/international-collaboration\/international-memorandums-of-understanding\/mou-uk\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Memorandum of Understanding between the&nbsp;<abbr>ICO<\/abbr>&nbsp;and&nbsp;<abbr>OPC<\/abbr>.<\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"h-scan-for-your-exposed-personal-data\">Scan for your exposed personal data<\/h2>\n<p>You can check what personal information of yours has been exposed online with our Digital Footprint portal. Just enter your email address (it\u2019s best to submit the one you most frequently use) to our\u00a0<a href=\"https:\/\/www.malwarebytes.com\/digital-footprint\">free Digital Footprint scan<\/a>\u00a0and we\u2019ll give you a report. If your data was part of the 23andMe breach, we&#8217;ll let you know.<\/p>\n<div class=\"wp-block-malware-bytes-button mb-button\" id=\"mb-button-7ba16f0b-04e8-4679-9512-2f21a0971dcf\">\n<div class=\"mb-button__row u-justify-content-center\">\n<div class=\"mb-button__item mb-button-item-0\">\n<p class=\"btn-main\"><a href=\"https:\/\/www.malwarebytes.com\/digital-footprint?utm_source=blog&amp;utm_medium=social&amp;utm_campaign=b2c_pro_acq_fy25dfplaunch_171269600960&amp;utm_content=V1\"><\/a><a href=\"https:\/\/www.malwarebytes.com\/digital-footprint\">SCAN NOW<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\" \/>\n<p><strong>We don&#8217;t just report on threats &#8211; we help safeguard your entire digital identit<\/strong>y<\/p>\n<p>Cybersecurity risks should never spread beyond a headline. Protect your\u2014and your family&#8217;s\u2014personal information by using <a href=\"https:\/\/www.malwarebytes.com\/identity-theft-protection\">identity protection<\/a>.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2024\/06\/23andme-data-breach-under-joint-investigation-in-two-countries\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> Canada&#8217;s and UK privacy authorities are going to investigate the data breach at 23andMe to assess what the company could have done better. <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[20260,32,5897,31522],"class_list":["post-24664","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-23andme","tag-news","tag-privacy","tag-privacy-authorities"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24664","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24664"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24664\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24664"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24664"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24664"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}