– Updated 10/28/2023- The data breach at 23andMe must be really bad. The data breach has drawn the attention (PDF) of a business loving GOP Senator.
—
A data breach has affected customers of the genomics firm 23andMe (ME). 23andMe is a U.S. biotechnology firm that offers genetic testing services to customers. Customers send a saliva sample to its labs and get back an ancestry and genetic predispositions report. The exposed information from this data breach includes full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location.
Reports indicate that a hacker first posted the data breach on August 11, 2023. The hacker posted on the Hydra cybercrime forum. The hacker claimed to possess 300 terabytes of stolen 23andMe user data. The data re-emerged on October 2, 2023, when a hacker using the username “Golem” posted the records on the cybercrime forum BreachForums. The hacker openly made an anti-Semitic threat, boasting that it was a targeted attack on Ashkenazi Jews. The hacker claimed the data breach records contained “information on all wealthy families serving Zionism … You can see the wealthiest people living in the US and Western Europe on this list.”
The data breach expands
On October 16, Golem claimed the data contained “samples from hundreds of families, including the royal family, Rothschilds, Rockefellers, and more.” The reference to the Rothschilds, a subject of antisemitic conspiracy theories, echoes Golem’s previous publication of 23andMe records allegedly focused on people of Ashkenazi Jewish descent.
23andMe spokesperson Andy Kill told TechCrunch in an emailed statement that the company was made aware of this new leak and that it is “reviewing the data to determine if it is legitimate.”
23andMe blames customers for data breach
On October 6, 23andMe announced that hackers behind the data breach had obtained some user data. They claimed that to amass the stolen data the hackers used credential stuffing. Credential stuffing is a common technique where hackers try combinations of usernames or emails and corresponding passwords that are already public from other data breaches.
In response to the data breach, 23andMe urged their users to change their passwords and enable multi-factor authentication. On its official page addressing the data breach, 23andMe blamed the incident on its customers for reusing passwords and DNA Relatives. DNA Relatives is an opt-in feature the firm offers. It allows users to see the data of other opted-in users whose genetic data matches theirs. If a user had this feature turned on, it could allow hackers to scrape data on more than one user by breaking into a single user’s account.
Splitting hairs
23andMe stated it didn’t find any evidence of a “data security incident” because the information hackers gathered was available to opted-in users. But putting the burden on consumers to protect their own sensitive data with strong passwords and careful management is wrongheaded, said Suzanne Bernstein, with the Electronic Privacy Information Center told WAPO “If 23andMe is collecting, storing and processing a tremendous amount of very highly sensitive personal data, I think at the end of the day they should take responsibility for that.”
Data breach victims not protected
The type of information genetic testing companies like 23andMe collect is currently not protected by the Health Insurance Portability and Accountability Act (HIPAA). 23andMe still allows for third-party data sharing in its privacy policy.
How to Protect Your Data from Breaches
Now that your genetic data is probably in the wild for anyone to abuse, you should do the following:
- Choose unique, impossible-to-guess passwords.
23andMe users should immediately change their passwords. The new password should be complex and never have been used on other sites. A better response would be to use a password manager. - Next turn on two-factor authentication.
- Request to delete your data.
A 23andMe customer can request to delete their information from the site. If you live in a state with a comprehensive privacy law company is required to do so. - A 23andMe customer can request their information be deleted from the site. But during the account deletion process, 23andMe tells users that the company and its partner lab will hang onto your “genetic information, date of birth and sex,” after your account is deleted, per state and federal legal requirements, according to the Washington Post.
This means that even after 23andMe deletes your account, it still retains potentially sensitive genetic information. Researchers have shown that so-called anonymous genetic data can in some cases be re-identified. - Don’t share genetic information
Sharing your genetics with a DNA database increases your risk of botched criminal procedure, discrimination from insurance companies and employers, and targeted attacks such as blackmail, privacy experts say.
rb-
Now that your entire family’s DNA is out there there is no getting it back.
Related article
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.