In October, the genetic testing company 23andMe faced a significant data breach, initially believed to affect about 14,000 of its users. However, further assessments revealed that nearly half of its 14 million users, approximately 6.9 million individuals, were impacted. The specific individuals or groups responsible for the 23andMe data breach have not been publicly identified in the information available. The breach was carried out using a technique known as credential stuffing, where attackers use previously stolen or leaked usernames and passwords to gain unauthorized access to accounts. This method suggests that the attackers may have utilized databases of compromised credentials from other breaches to target 23andMe accounts.
The Breach and Its Scope
The 23andMe data breach, which compromised a substantial amount of Personally Identifiable Information (PII), highlights the already significant privacy concerns within the realm of genealogy testing companies. The breach allowed unauthorized access to sensitive features like “DNA Relatives” and “Family Tree,” leading to the scraping of critical data such as ancestry information, health data based on genetics, names, birth years, and familial relationships. Particularly concerning was the exposure of data related to users of Ashkenazi Jewish and Chinese descent, underscoring the potential risks of genetic discrimination. As reported by HealthITSecurity, this targeted nature of the breach “put minority groups at risk”. TechCrunch provided insight into the extent of the breach, noting that “The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location”. This breach not only jeopardized individual privacy but also raised alarms about the broader implications of genetic data misuse.
In response, 23andMe took steps to mitigate the breach’s impact, with a spokesperson stating, “We are working to remove this information from the public domain”, highlighting the company’s efforts to address the aftermath of the breach. The company updated its user agreement to include new terms that make it more challenging for customers to initiate class action lawsuits. These provisions include a longer initial dispute period and stronger language to prevent collective legal actions. Furthermore, 23andMe has required all users to reset their passwords and implemented mandatory two-step verification for all logins. Additionally, the company has been actively working to remove the leaked information from public domains.
The Broader Impact
The 23andMe incident highlights the broader implications of data breaches in the healthcare and genetic testing sectors. As companies collect more sensitive personal and genetic information, the potential consequences of data breaches become increasingly severe, especially when companies like 23andMe and Ancestry are not HIPPA compliant. It is imperative that companies like 23andMe and their users remain vigilant against such cyber threats to protect the privacy and integrity of personal genetic data. In addition, it is crucial for people looking to be a customer of companies like 23andMe to be cognizant of the fact that while they have a significant amount of your PHI (Personal Healthcare Information), they are not HIPPA compliant.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –