Leakage of information containing genetic data and details about ancestors - 23andMe data breach 

23andMe data breach

23andMe is a publicly traded American corporation. Her business focuses on personal genomics and biotechnology. The company's best-known product is the provision of genetic tests to end customers, who, based on the results, are provided with a report regarding their origin and genetic predispositions, focused mainly on health. The results are accessible through the profile of individual users on the company's website. And according to available information, this is the information that has become public. A file containing the personal information of more than 7 million 23andMe users has been posted on hacker forums. This is supposed to be more than half of the company's total number of customers.  

Highly confidential personal data about customers were published - photos, information about their health, date of birth, geolocation data and user phenotype. Under the phenotype, you can imagine a wide range of information - physical appearance (eye or hair color, physical characteristics of the body), individual behavior (temperament), health status (including susceptibility to cancer and various predispositions), intelligence or personality. The authenticity of the data has been confirmed by the company. 

However, 23andMe denies that this information was leaked as a result of a security incident in its systems. The collection of personal data about users is explained by the fact that the attacker used user credentials that were leaked from other sites, applications or systems. The attacker then collected the information using the "DNA relatives" function. This is used to connect people with common ancestors and trace distant parts of the family. This function is not turned on automatically - users must log in to use it. According to the company's claim, the "scraping" technique was used, i.e. the collection of data that can be accessed without abusing system errors, theft of personal data, etc. The company's claim thus implies that there has been mining of data that customers themselves have published about themselves through the function "DNA Relatives". Considering the scope of the published data, it is clear that the data was collected from more than one account. The attacker then offered the aforementioned data for sale - their price varied according to the number of profiles that the interested party would buy. The price ranged from $1 to $10 per profile. 

In connection with the data breach, the company requires its users to change their passwords and encourages them to implement multi-factor authentication. However, the question that precedes all of the above and often appearing on the Internet - is whether the benefits of the provided service outweigh the fact that personal data is placed on the Internet in this way.   

More articles

Deepfakes have become a common tool in the hands of attackers due to rapid advancements in artificial intelligence. How can companies effectively defend themselves against them?
Bigger responsibility for top management in cybersecurity also means stricter penalties. What will attract the highest fines?
The new Cybersecurity Act will significantly affect the responsibilities and duties of top management. What will top management be responsible for?

Newsletter

Do you want to be sure that your company is protected from cyber threats and at the same time comply with the applicable legislation? Sign up for the newsletter and get practical advice from our legal consultants.

By clicking submit, you consent to the processing of your personal data for marketing purposes.