- David Polách
23andMe is a publicly traded American corporation. Her business focuses on personal genomics and biotechnology. The company's best-known product is the provision of genetic tests to end customers, who, based on the results, are provided with a report regarding their origin and genetic predispositions, focused mainly on health. The results are accessible through the profile of individual users on the company's website. And according to available information, this is the information that has become public. A file containing the personal information of more than 7 million 23andMe users has been posted on hacker forums. This is supposed to be more than half of the company's total number of customers.
Highly confidential personal data about customers were published - photos, information about their health, date of birth, geolocation data and user phenotype. Under the phenotype, you can imagine a wide range of information - physical appearance (eye or hair color, physical characteristics of the body), individual behavior (temperament), health status (including susceptibility to cancer and various predispositions), intelligence or personality. The authenticity of the data has been confirmed by the company.
However, 23andMe denies that this information was leaked as a result of a security incident in its systems. The collection of personal data about users is explained by the fact that the attacker used user credentials that were leaked from other sites, applications or systems. The attacker then collected the information using the "DNA relatives" function. This is used to connect people with common ancestors and trace distant parts of the family. This function is not turned on automatically - users must log in to use it. According to the company's claim, the "scraping" technique was used, i.e. the collection of data that can be accessed without abusing system errors, theft of personal data, etc. The company's claim thus implies that there has been mining of data that customers themselves have published about themselves through the function "DNA Relatives". Considering the scope of the published data, it is clear that the data was collected from more than one account. The attacker then offered the aforementioned data for sale - their price varied according to the number of profiles that the interested party would buy. The price ranged from $1 to $10 per profile.
In connection with the data breach, the company requires its users to change their passwords and encourages them to implement multi-factor authentication. However, the question that precedes all of the above and often appearing on the Internet - is whether the benefits of the provided service outweigh the fact that personal data is placed on the Internet in this way.