The personal information of millions of people who sent swabs of their DNA to consumer testing services have been leaked in high profile hacks in recent years, leading to questions about how secure that genetic data is.
In autumn 2023, a hacker called Golem posted on a well-known message board for cybercriminals, announcing a trove of data stolen from 23andMe, one of the biggest names in at-home DNA testing.
News began to circulate suggesting the data breach on Friday 6 October 2023 may have even had antisemitic motivations.
23andMe co-founder Anne Wojcicki was among those whose profiles were allegedly included in the data breach.
Data breaches happen all the time, says Brett Callow, a threat analyst with cybersecurity firm Emsisoft.
A data breach that included ethnicity estimates given in ancestry reports could mean that Jewish people who had taken a DNA test could potentially have a permanent digital yellow star next to their names, photographs and geographical location.
With the data of half 23andMe's customers now in the hands of cybercriminals, the breach clearly affected far more than just Ashkenazi Jewish account holders.
In subsequent posts on the hackers forum, Golem supposedly offered the data of British, German and Chinese 23andMe users, as well as that of 23andMe chief executive Anne Wojcicki, her ex-husband and Google founder Sergey Brin, Elon Musk and members of the British Royal Family.
When news of the 23andMe data breach first broke, the reaction was relatively muted: the attention of Jewish groups was focused on the attacks Hamas had launched on Israel that weekend, and the rise in antisemitic hate incidents in the weeks that followed it.
Once those accounts had been infiltrated, the hacker was able to amass a much larger trove of data through the DNA Relatives feature of 23andMe, which allows account holders to connect with genetic relations.
In response to inquiries from journalists at TechCrunch in December 2023, 23andMe admitted that in fact the data of 6.9 million users - roughly one out every two people who had sent their DNA to the company - had been breached.
Prior to October 2023 this wasn't a necessary requirement to access an account on 23andMe, even though it held genetic ancestry data coupled with geographical and biographical information.
The October 2023 23andMe breach was the first time hackers had offered the data for sale.
Last year, America's Federal Trade Commission took action against two direct-to-consumer DNA testing companies, CRI Genetics and 1Health/Vitagene, for failing to keep DNA data secure.
Regardless of the motivation, any breach involving genetic data has potentially wide-ranging consequences.
In an age where an increasing number of financial decisions are made by algorithms that scrape all possible sources of information about an individual, there is a serious possibility of financial loss and discrimination arising from a leak of genetic data.
It's easy to imagine a scenario where leaked genetic data might lead to higher premiums or customers being denied cover entirely because of their genes, or being rejected for a long-term bank loan or mortgage because leaked data suggests a higher likelihood of the lender developing Alzheimer's and passing away before it could be was repaid in full.
23andMe has said the data breach of its user profiles did not include the leaking of raw DNA profiles, but the hacker still had access to ancestry reports that gave ethnicity estimates, geographical location, links to family trees and other personal information.
23andMe now faces several class action lawsuits in the US as a consequence of the data breach.
Even if it were possible to keep data as sensitive as our genetic code safe from hackers, there is no guarantee that once we have consented to share it with a corporation it will remain in their possession.
This Cyber News was published on packetstormsecurity.com. Publication date: Tue, 13 Feb 2024 22:43:04 +0000