An anonymous hacker is claiming to be selling millions of genetic profiles from hacked 23andMe customer accounts.
Genealogy services can tell you a lot, but they also require you to hand over some very sensitive personal data. Having your genetic data sold on the dark web is no joke. Thanks to this genealogy service data breach, that's exactly what's happening.
Users' genetic data is being sold online
DNA testing company 23andMe suffered a massive data breach in 2023 that exposed the genetic data of millions of customers. Hackers were able to compromise 14,000 personal accounts and steal information related to approximately 6.9 million individuals listed as potential relatives on the site.
Stolen data includes:
- Name
- Date of birth
- Geographic information
- Profile photo
- Race
- Health report
- Nation
- Genealogy
Following the data breach, the UK Information Commissioner's Office (ICO) and Canada's Office of the Privacy Commissioner (OPC) announced a joint investigation into the incident in June 2024. A year later, the investigation concluded with a £2.31 million ($3.13 million) fine against 23andMe for what the ICO described as a "serious breach."
The investigation also highlighted security lapses at the time of the breach. The company failed to implement proper authentication measures, with a lack of mandatory multi-factor authentication (MFA) and lax password requirements. 23andMe also failed to take steps to prevent access to and download of raw genetic data, and did not have 'effective systems to monitor, detect, or respond to cyber threats targeting sensitive customer information . '
John Edwards, UK Information Commissioner, explains:
23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people's most sensitive data vulnerable to exploitation and harm.
23andMe's lackadaisical approach to acknowledging the breach has also been pointed out. The first breach began in April 2023 and lasted until May 2023. However, the company did not acknowledge the breach and launch a full investigation until October 2023, when an employee discovered the stolen data being sold on Reddit.
Data protection starts with you
Unlike passwords and other information that often gets leaked in such data breaches, you can't just change your genetic data. Once it's public, you're essentially compromised for life.
So while there's not much you can do in this case other than be vigilant for any phishing or identity theft attempts, you can still try to protect yourself from future breaches. Setting up MFA for your online accounts and using strong, unique passwords for each account are some of the most basic steps you should take to protect your digital footprint, regardless of whether your service provider requires it or not. It's also important to protect your credit rating if you're affected by a data breach.
Also, try to avoid using online services that ask for too much sensitive information in the first place. Sure, learning about your ancestors may sound interesting, but that curiosity is not worth risking extremely sensitive genetic information that could be used for all sorts of nefarious purposes.