In a startling revelation, The California-based genetic testing company 23andMe has acknowledged that a recent data breach has compromised the sensitive information of 6.9 million users.
The company initially denied the claims, saying they had conducted an investigation and had not identified ‘any unauthorized access to our systems’.
However, the company was forced to admit the breach after a hacker using the moniker ‘Golem’ published the genetic profiles on cybercrime marketplace BreachForums.
The hackers have exploited the DNA Relatives feature of the platform, has exposed a vast trove of personal data, including ancestry reports, genetic makeup, family history, and even self-reported locations.
The Breach: How it Unfolded
The breach originated from a credential stuffing attack, a technique where hackers utilize login credentials obtained from other data breaches to access user accounts.
The mass leak came to light in early October when users on a hacking forum claimed to be selling troves of user data including ‘photographs’ and ‘phenotype information’ for thousands of dollars.
23andMe said that the breach was caused by a third-party vendor that was hacked. It has sent shockwaves through the privacy community, raising alarms about the potential consequences of sharing sensitive genetic information with third-party companies.
In this instance, the attackers gained access to approximately 0.1% of 23andMe’s overall customer base, which amounts to roughly 14,000 individuals.
Additionally, the breach affected approximately 5.5 million DNA Relatives and 1.4 million Family Tree profiles.
The company disclosed the breach in a regulatory filing on Friday, December 1, 2023.
The Leaked Data Includes
- Display names
- Predicted relationships with others
- Amount of DNA shared with matches
- Ancestry reports
- Self-reported locations
- Ancestor birth locations
- Family names
- Profile pictures
Additionally, the family tree profiles of 1.4 million users were compromised, exposing information such as display names, relationship labels, birth years, and self-reported locations.
23andMe’s Response: Damage Control
In response to the breach, 23andMe has initiated measures to mitigate the damage and safeguard user data. The company has:
- Notified affected users by email.
- Instructed users to reset their passwords
- Implemented mandatory two-step verification for all users
The company is also offering them a free year of its premium service, which includes access to additional genetic data and health reports.
The 23andMe breach is particularly concerning because it involved the theft of sensitive genetic data.
This information could be used to discriminate against people based on their genetic predispositions to various health conditions, such as asthma, anxiety, high blood pressure, and macular degeneration.
23andMe’s Terms of Service Changes
23andMe has made changes to its terms of service that are being called “cynical” and “self-serving” by lawyers. These changes come just two days after the company disclosed that hackers had accessed the personal and genetic data of millions of customers.
The new terms of service are designed to make it more difficult for victims of the breach to band together in filing a legal claim against the company.
This is done by forcing customers to go through individual arbitration rather than class action lawsuits. Arbitration is a private process that is often quicker and more cost-efficient than a lawsuit, but it also skews in favor of corporations.
Privacy Concerns and Legal Protections
The exposure of health data raises serious concerns about the privacy of individuals who have entrusted their genetic information to 23andMe.
In the United States, health information is typically protected by the Health Insurance Portability and Accountability Act (HIPAA). However, these protections only apply to healthcare providers.
The Genetic Information Nondiscrimination Act (GINA) of 2008 provides some protection against discrimination in employment and health insurance based on genetic information.
However, this law has loopholes, and life insurers and disability insurers are not bound by these restrictions.
Victims of the breach are already taking legal action against 23andMe. A class action lawsuit has been filed in Illinois, and two class action lawsuits have been filed in Canada.
Things To Consider Before Sharing Your Genetic Data
- What will the company do with your data?
- Who will have access to your data?
- How will your data be protected?
- What are the potential consequences of sharing your data?
The 23andMe data breach highlights the importance of cybersecurity and the need for individuals and organizations to take proactive measures to protect sensitive data.
As more and more people turn to at-home DNA testing kits, it is important to be aware of the potential risks and to take steps to protect your privacy.