Your DNA for Sale: The Consequences of the 23andMe Data Breach

Or listen on:


Exploring DNA security issues, user responsibility vs. corporate accountability in cybersecurity, and the implications of genetic information hacking.

We revisit the intriguing case of 23andMe’s cybersecurity breach, a topic that has stirred debate both in the tech community and elsewhere. This incident shined a spotlight on 23andMe’s security measures and also raised critical questions about their response to the breach itself as well as how to properly apportion the responsibility for theft of user data in modern cybersecurity. The breach also triggered some uncomfortable-yet-critically important questions about the handling of DNA information by for-profit entities, and what it means for all of us when these companies inevitably become the target of a cyberattack.

23andMe and the Hacked DNA Database

For those unfamiliar with 23andMe’s recent misfortune, you can get a more complete discussion of the breach in our episode about credential stuffing. In that episode, we talked about the details of the cyberattack, most specifically how the attackers managed to get access to the accounts of thousands of 23andMe users.

Since that episode was released, new events have kept the breach, and 23andMe in general, in the spotlight. For starters, the popular genetic testing and distant-relative networking service has continued to update the number of users whose accounts were affected by the breach. While only several thousand were improperly accessed, millions of users’ familial and relationship connection information was also stolen. In response to this unprecedented data breach, several hundred users have filed a lawsuit against 23andMe for violations of the CPRA and other data privacy laws.

23andMe’s response to the incident, especially in the face of the class-action lawsuit, was to shift the blame onto users for their negligence in password management. This move sparked controversy, with the company asserting that the breach was primarily due to users recycling passwords rather than a lapse in 23andMe’s security systems. The company’s statement, emphasizing user fault, was met with mixed reactions, indicating a potentially myopic view of the situation. Further criticism of the statement focused on the apparent dismissal by 23andMe of any potential negative impact on those users who were not a source of the data breach, but whose network and relationship data were stolen.

Who is at Fault for the 23andMe Data Breach?

The core of the debate lies in the balance between user responsibility and corporate accountability. On one hand, users were instructed to maintain secure login credentials – using unique, strong passwords for each service. The rationale is straightforward: if one password is compromised, it shouldn’t open doors to other accounts. However, the ease of using familiar passwords often trumps security concerns, leading to vulnerabilities exploited in attacks like the one on 23andMe. The accounts also did not use multi-factor authentication, a tool offered but not required by 23andMe.

Notably, neither the statement nor the lawsuit appears to place much significance on the fact that 23andMe’s business model relied on users’ willingness to establish connections with other users based on 23andMe’s DNA analysis, resulting in the widespread sharing of highly unique personal information.

23andMe’s Security Fell Short

While one may initially have seen merit in a shared responsibility model, you cannot but grow critical of 23andMe’s approach post-incident. While it is easy to blame users for failing to fully secure their passwords, it was the company’s failure to enforce multi-factor authentication (MFA) – a robust security measure offered but not mandated – that led directly to this breach. This was a crucial misstep in an era where credential-stuffing attacks are rampant. Comparing 23andMe’s practices to Microsoft’s successful implementation of mandatory MFA, there is a growing industry standard of proactive security enforcement.

Negligence is the failure to use reasonable care. If 23andMe did not feel that it was necessary to require passwords to meet certain standards and to require the use of MFA, they certainly cannot now say that failing to do those things wasn’t reasonable.

While 23andMe has implemented some of these security measures in the wake of this massive data breach, the changes do not overshadow the broader implications of the incident. The breach, affecting millions, demonstrates the complex interplay of user behavior, corporate responsibility, and the evolving nature of cybersecurity threats.

23andMe is no mere Website

The data collected by 23andMe needs to be discussed as two separate groups of data. The first is individual data, like usernames, passwords, payment information, and the like. This data is the kind most frequently thought of when you hear about data breaches. The second group is the relational or connection data that 23andMe provided based on user DNA information. It’s this second set of data that makes the 23andMe data pool so unique.

As a collector and curator of vast amounts of personal data, 23andMe had a critical responsibility to protect this information. In the realm of data aggregation, the relationships and connections established between datasets elevate the importance of robust security. This isn’t just about protecting individual accounts; it’s about safeguarding the interconnected web of data that could potentially be exploited in various malicious ways.

Consequences of DNA Hacking

23andMe’s response to the breach was also shortsighted. The company’s assertion that the majority of users weren’t financially harmed seemed to miss the bigger picture. Data security isn’t solely about preventing direct financial loss. The breach could have far-reaching consequences beyond immediate financial impacts. For instance, the breach could facilitate social engineering attacks, exploit familial ties, and potentially impact future technologies and security measures involving DNA data.

Moreover, significant potential exists for misuse of the stolen data in ways that we might not yet fully understand, including the possibility of targeted biological attacks or the compromise of future biometric security systems. This perspective sheds light on the multifaceted risks associated with the breach of genetic data, which extends far beyond traditional financial or identity theft concerns.

Unlike other personal information, DNA is immutable and forms a permanent part of one’s identity. This makes genetic data incredibly sensitive, and once exposed, it’s impossible to retract or change. He criticized 23andMe for not taking adequate steps to protect this unique and sensitive data, highlighting the ethical responsibility companies have in safeguarding user information.

In summary, the episode shed light on the complex and multifaceted nature of data breaches, especially in cases involving sensitive genetic information. There is an immediate need for companies like 23andMe to not only improve their security measures but also to acknowledge and address the broader implications of such breaches on personal privacy and data integrity.

We’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity.

Episode Resources:

We aim…

to make cybersecurity understandable, digestable, and guide you through being able to understand what you and your business need to focus on in order to get the most benefit for your cybersecurity spend.

Contact Us

©2024 Fearless Paranoia