7 Million Affected By DNA Website Breach
DNA and ancestry site 23andMe has admitted nearly 7 million customers are affected by a data breach. Both the breach itself and the way the site organizes its data contributed to what could be a legal disaster for the company.
23andMe is named after the number of segments of DNA that people share with each parent. The service involves customer submitting a DNA sample to be used either to check for genetic health conditions, get information about ancestry such as ethnic origin, or both. Customers can also agree to be put in touch with other customers when a DNA match suggest a possible family relationship.
The company recently admitted that a data breach meant "threat actors" access personal data about 0.1 percent of customers, which would be around 14,000 people. It also said other files were affected but only revealed the scope as "a significant number." (Source: theguardian.com)
Data Limits Breached
It's now admitted that the number affected is actually 6.9 million. That's made up of 5.5 million who agreed to share some data with potential relatives. This includes name, year of birth, location (self-reported), and the percentage of DNA shared with relatives. A further 1.4 million users had information from their "Family Tree" profile revealed. (Source: techcrunch.com)
In other words, the hackers not only accessed the data of the 14,000 people whose records they found, but also information shared by other users. Of course, these users agreed to the sharing under the belief it would only be revealed to potential matches and otherwise kept unavailable.
It's important to note that only the 14,000 breached records contain full genetic data. The 6.9 million records accessed via the link "merely" contain personal information.
Data For Sale
Some user records have already been published online, apparently by the hackers in an attempt to prove their claim to hold the stolen data. They have offered to sell the data, though it's possible they could ask for a ransom to keep the data confidential. 23andMe hasn't spoken publicly about any such demands or negotiations.
The breach will likely provoke legal problems and debate about the wisdom of such services. Aside from any legal action that customers bring, 23andMe could face regulatory action under multiple privacy laws. These often include enhanced penalties for breaches involving sensitive personal data.
At the same time, more cynical analysts are already suggesting this proves customers were exceptionally unwise to provide genetic material to a private company.
What's Your Opinion?
What consequence should 23andMe face? Do you have sympathy with the affected customers? Does private company use of DNA information need tighter regulation or is it a case of buyer beware?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
DNA
Though I have to admit I have at times been curious, my natural distrust of such things has always won out.
A data breach is just one of the things that keeps me away.
Another is the access law enforcement has and another is possible future access and use by insurance companies using it to deny coverage.
Their liability rests solely, I believe, on the user consent form the customers signed. People should know by now that anything stored online is hackable.
Exactly. Simply do not
Exactly. Simply do not provide companies with real information about yourself, if possible.