SAN FRANCISCO: Genetic testing company 23andMe has confirmed that hackers accessed nearly 14, 000 customers' accounts in a data breach.
In a new filing with the US Securities and Exchange Commission (SEC), the company said that a threat actor in October posted online a claim to have 23andMe users' profile information.
"Upon learning of the incident, 23andMe immediately commenced an investigation and engaged third-party incident response experts to assist in determining the extent of any unauthorised activity, " it said in the filing.
Based on its investigation, it determined that hackers had accessed 0.1 per cent of its customer base.
According to the company's most recent annual earnings report, 23andMe has "more than 14 million customers worldwide, " which means 0.1 per cent is around 14, 000.
The information accessed by the threat actor varied by user account, and generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user's genetics.
"We are working to remove this information from the public domain, " said the healthcare company. 23andMe was in the process of providing notification to users impacted by the incident as required by applicable law.
"While no company can ever completely eliminate the risk of a cyber attack, the company has taken certain steps to further protect its users' data, " said 23andMe.
The company expects to incur between $1 million and $2 million in one-time expenses related to the incident during its fiscal third quarter. The company did not specify what that "significant number" of files is, nor how many of these "other users" were impacted.