ICO and Privacy Commissioner of Canada announce investigation into 23andMe data breach

On 10 June 2024, the ICO announced that together with the Office of the Privacy Commissioner of Canada they have launched an investigation into the 23andMe data breach which took place in October 2023.

The data breach, which was caused by hackers accessing the company’s systems, affected nearly 7,000,000 individuals, and involved highly sensitive data. The Guardian reported that hackers had sold profiles and also leaked data online.

The ICO has advised the joint investigation will cover:

  • the scope of information that was exposed by the breach and potential harms to affected people;
  • whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and
  • whether the company provided adequate notification about the breach to the two regulators and affected people as required under Canadian and UK data protection laws.


Don't just take our word for it