How Safe is Your Genetic Data? 23andMe Compromise Raises Serious Red Flags

Episode Resources:

• Resilience Cybersecurity & Data Privacy

• 8 Useful Small Business Cybersecurity Tips You Need to Know – Resilience Cybersecurity & Data Privacy

• How To Destroy Perfectly Good Cybersecurity Policies – Resilience Cybersecurity & Data Privacy

• Hackers are selling the data of millions lifted from 23andMe’s genetic database – The Verge

• 23andMe says private user data is up for sale after being scraped – Ars Technica23andMe user data breached in credential-stuffing attack – Engadget

• 23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews – WIRED

• Genetic tester 23andMe’s hacked data on Jewish users offered for sale online – Washington Post

Episode Transcript

Recently, it was revealed that the genetic profiling service 23andMe may have suffered some type of data breach after a mysterious entity offered private information of millions of its users for sale on an online crime forum. The company states that no health data was taken, emphasizing that the leak was the result of data scraping, not a direct attack on the company, and that 23andMe had technically not suffered an actual data breach.

Data Security and Understanding 23andMe’s Service

For the uninitiated, 23andMe is a prominent competitor to ancestry.com. Users typically submit a DNA sample, which the company then uses to determine their ancestry or genetic relations. The unique selling point of 23andMe is its capacity to link individuals based on shared DNA, allowing users to find and connect with distant relatives or identify common ancestors. While the information is intended to remain secure behind the company’s digital walls, this recent breach proves that external threats still loom large.

How Credential Stuffing Led to the Breach 

The breach wasn’t a result of sophisticated hacking but rather a tactic called credential stuffing. In this method, cybercriminals utilize previously leaked usernames and passwords from other breaches to gain unauthorized access. These lists of credentials are often found on criminal forums and are used in mass attacks on various platforms. Given that many individuals reuse passwords across sites, this presents a significant security concern. The accessed accounts could divulge personal details, previous tests, and even connections to other users based on shared DNA.

From there, the hackers used data scraping to collect all the information they could from 23andMe. Data scraping often refers to the collection of public information from websites, usually using bots or other automated scripts, which is then aggregated or collected in some other usable form. However, this situation diverges from that norm, as the hackers scraped what was data that was supposed to be securely stored by triggering their data scraping for all accounts they could access.

The Implications of Such Data Breaches

While the immediate extent of the 23andMe breach might not be evident, the potential misuse of the acquired data can be vast. Much of the information taken from 23andMe was fairly basic personal information. However, simply because it’s basic doesn’t mean that it isn’t significant. After all, basic protected information still needs to be protected. Such information can be collected together to form a comprehensive profile of an individual, revealing personal connections, potential medical predispositions, and more. As criminals continuously evolve their tactics, the incident serves as a stern reminder of the value of personal data and the ever-present threat of cyber-attacks in our digital age.

Concerns Raised Over 23andme’s Data Privacy 

There has been growing concern over 23andme’s user privacy settings, particularly regarding the feature that allows a user’s information to be displayed to potential relatives, extending out to “distant cousins.” This setting, reportedly, would allow a significant number of people, like distant cousins, to access one’s data. For an American-Irish person, this could mean a large portion of Ireland, Boston, Chicago, and other diaspora regions having access to their information.

According to a report by The Washington Post, more than half of the 14 million customers might have had their data exposed based on the number of people who chose to make their data visible to relatives. However, it’s unclear if this visibility was an opt-in or opt-out feature. If it’s an opt-in feature, then users of 23andMe need to go in and change that setting immediately and be more careful in the future. If it’s an opt-out feature, then there are some serious ethical and cybersecurity questions that 23andMe needs to answer. 

A Data Breach with Grave Implications

Among the most disturbing elements of this data breach is that the initial trove of customer data was advertised as a database of Ashkenazi Jews. This categorization has deadly historical connotations given the persecution and violence the Jewish community, especially Ashkenazi Jews, faced in events such as the Holocaust. It has been suggested that this particular labeling might have been a tactic to garner attention, and not necessarily an actual attempt to help antisemitic actors identify Jews.

However, particularly given recent events in Israel, the seeming ever-presence of the desire of some in this world to target people based on their race, religion, nationality, or other characteristics continues.

Questionable Claims and the Value of User Data

23andme clarified post-breach that no genomic data was stolen. However, this claim might be misleading as the actual scope of the breach is unknown, particularly what could be downloaded from individual accounts. Beyond hacking, when users provide data to third-party services, they trust these entities with their data’s safekeeping. Privacy policies, while reassuring on paper, often contain clauses that might permit the sharing or selling of user data. The buying and selling of company assets might also lead to the dissemination of personal information without user knowledge. This becomes especially worrisome for users who signed up before stringent privacy laws were enacted.

Companies like 23andme and Ancestry.com uniquely deal with the most personal data – our genetic information. It’s immutable; even if someone changes their name or identity, their DNA remains constant.

Such services might bypass data minimization principles found in modern privacy laws. These principles state that businesses should only collect necessary data relevant to their service. With DNA being comprehensive and permanent, it raises significant concerns over its storage, processing, and potential misuse, emphasizing the need for stronger privacy protocols in genetic testing platforms.

How Far has the Breach Gone?

The recent data breach at 23andMe has raised red flags even for those who aren’t direct customers. When considering the interconnected nature of the internet, the implications are staggering. Even if one hasn’t directly shared their genetic information with the company, if a family member has, that data can provide insight into the genetic makeup of the extended family. The leak of such profoundly personal data – essentially a digital fingerprint with far-reaching ramifications – poses potential threats beyond our current understanding, especially as we move into an era where biometrics are being used for authentication.

How Can This Type of Attack be Prevented?

The manner in which this valuable data was accessed is another cause for alarm. With a basic username and password being the gateway to such a treasure trove of information, questions about security standards are inevitable. It’s a stark reminder that digital security is far different from physical security. In the digital realm, there are no geographical boundaries to protect us, and attacks can come from any corner of the world. Moreover, once this data lands on the web, especially on criminal forums, the chances of its removal are almost nil, highlighting the importance of stringent security practices both by users and by companies.

The use of the “low-tech” credential stuffing attack, which is akin to finding a set of keys on the ground and testing them on every door, underscores the fact that it’s not just the advanced technological attacks we should be wary of, but also the basic ones. While hackers employ sophisticated tools, they’re also on the lookout for the simplest vulnerabilities, eager to exploit any lax security. In the case of 23andMe, the attackers hit the jackpot.

Lastly, there’s a glaring issue with the very system of 23andMe. The ability for users to access personal information about distant relatives without explicit consent seems like a significant oversight. Even with the best intentions, data collection on such a scale is ripe for misuse. Every tool or platform that collects data has the potential to be exploited, turning its original purpose on its head. This breach serves as a somber reminder of the potential dangers of sharing and storing personal information online. As technology continues to advance, the ethics and security measures surrounding data collection and storage must be at the forefront of the conversation.

We’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity.