Genetic Testing Leader, 23andMe, Acknowledges Data Breach and Dark Web Sale
Genetic testing giant 23andMe has recently confirmed a data scraping incident that resulted in hackers gaining unauthorized access to sensitive user information, which they subsequently sold on the dark web.
This breach exposed the personal information of nearly 7 million 23andMe users. The compromised data included origin estimation, phenotype, health information, photos, identification details, and more. 23andMe is known for processing saliva samples submitted by customers to determine their ancestral heritage.
Initially, when questioned about the data breach, the company denied the legitimacy of the claims, referring to them as "misleading." However, they later admitted that certain 23andMe customer profiles had been compiled through unauthorized access to individual accounts, specifically those signed up for the DNA Relative feature, which allows users to find potential relatives.
The company clarified that they did not believe there was a data security breach within their systems. Instead, their preliminary investigation suggested that threat actors had acquired login credentials from data leaks on other online platforms where users had reused the same login information. Subsequently, these credentials were used to gain unauthorized access to a limited number of 23andMe accounts, from which data was scraped.
The company declined to specify the exact number of customer accounts affected but assured users that those who had opted into DNA Relatives could view basic profile information of others who shared their profiles with DNA Relative participants. Genetically related users could also access ancestry information, which was disclosed during the creation of their DNA Relatives profile.
Once 23andMe completes its investigation, they plan to determine the best approach for notifying affected customers.
This incident underscores the vulnerability of customer data, even when intruders do not penetrate deeply into a network. A researcher, who wished to remain anonymous, examined the leaked database and found that a significant portion appeared to be genuine, including the information of his wife and several of her family members. He also confirmed the accuracy of data related to other acquaintances.
The researcher downloaded two files from the BreachForums post: one containing data on 1 million 23andMe users of Ashkenazi heritage and the other with information on over 300,000 users of Chinese heritage. This data included profile and account IDs, names, genders, birth years, maternal and paternal genetic markers, ancestral heritage results, and users' decisions to opt into 23andMe's health data.
While the data did not include genomic sequencing information, it was still supposed to be restricted to DNA Matches, not the public. The researcher also discovered a flaw that allowed anyone to enter a 23andMe profile ID into a URL and access someone's profile, including profile photos, names, birth years, and locations, though not their test results.
This oversight in 23andMe's website design and security raised concerns, especially given the nature of the information they handle. The researcher expressed frustration with the company's response, claiming they were not taking the issue seriously.
In recent weeks, genetic testing companies' security policies, including 23andMe, have come under regulatory scrutiny. Just three weeks ago, another genetic testing firm, 1Health.io, agreed to pay a $75,000 fine to the Federal Trade Commission (FTC) for failing to secure sensitive genetic and health data, retroactively changing its privacy policy without notifying and obtaining consent from customers, and misleading customers about their ability to delete their data.
Post a Comment