The data commissioner in the UK has launched an investigation with its Canadian counterpart into a 2023 hack of “highly sensitive information” held by the gene testing company, 23andMe.
The biotech company is headquartered in San Francisco and markets its testing kits worldwide, inviting consumers to discover their ancestry and genetic traits by providing a saliva sample in the post.
In October 2023, the company said that hackers had obtained the highly personal information of around seven million of its customers and had attempted to sell it on the dark web.
Data Offered on Dark Web
A post apparently advertised the personal information obtained in the hack on an online forum, including the users’ origin estimation, health information, photos, phenotype and identification data.
The investigation will examine the scope of information exposed by the breach as well as potential harms caused, and will consider whether or not the company had adequate safeguards in place.
It will also look at whether the company provided sufficient notification about the breach to the two regulators and affected customers as required under data protection laws in both the UK and Canada.
UK Information Commissioner John Edwards said, “People need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place.
“This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”
Philippe Dufresne, privacy commissioner of Canada, said: “In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”
Since the breach, 23andMe said it has enhanced its security measures by requiring two-factor authentication for all new and existing users.
According to its website, the company has sold more than 12 million DNA kits since 2006 costing between around £79 for ancestry only and up to £239 for health and ancestral traits with an annual subscription available as an add-on for updates.
In the United States, the company has been hit with a number of class action lawsuits since the breach from users who claimed 23andMe had failed to take adequate safeguarding measures to protect their DNA.
In a statement, the company said: “23andMe acknowledges the joint investigation announced by the privacy commissioner of Canada and the UK information commissioner today.
Potential for Misuse
The company’s website has a section dedicated to “Privacy,” where it tells customers that it is their choice whether their saliva sample is retained in its biobank or “safely discarded” after being processed.“When you explore your DNA with 23andMe, you entrust us with important personal information. That’s why, since day one, protecting your privacy has been our number one priority. We’re committed to providing you with a safe place where you can learn about your DNA knowing your privacy is protected,” the website reads.
The company was founded in 2006 and began selling its kits in the UK in 2008, becoming the first to offer home kits which could reveal both ancestral and health traits to consumers.
Concerns about privacy and the potential for misuse of people’s DNA have been raised in the media, along with horror stories of customers uncovering more than they bargained through the tests—such as learning the person who raised them could not be their biological parent, or that their genes place them at increased risk of serious illnesses including Alzheimer’s and some types of cancer.
Partnership With Pharmaceutical Giant
On July 25, 2018, 23andMe announced a partnership with GSK, then known as GlaxoSmithKline, to allow the British pharmaceutical company to use test results from five million customers to design new drugs. GSK invested $300 million in the company, and in 2022, this partnership was extended until July 2023 with an additional $50 million payment from GSK.In July 2020, the company announced its first clinical trial partnership with GSK aiming to create cancer drugs.
According to 23andMe, around 80 percent of its customers have consented to their samples being used anonymously for research purposes, and the company has signed genetic data partnerships with multiple pharmaceutical and biotech giants, including Pfizer and Genentech.
The company was publicly traded in 2021 when it was valued at £6 billion after it merged with Virgin founder Sir Richard Branson’s acquisition company, leading to Forbes declaring the company’s chief executive Anne Wojcicki as the “newest self-made billionaire.” The Silicon Valley celebrity was previously married to Google co-founder Sergey Brin.
Since it was traded, the company’s value is reported to have plummeted by 98 percent and the Nasdaq stock exchange has threatened to delist its sub-$1 stock.
