23andMe, the company that lets you know whether you’re related to your wife or not, appears to be in trouble. Over the weekend, multiple outlets reported that the biomedical company had suffered a data breach after users’ information unceremoniously popped up for sale on a popular dark web forum. Now, the company is predictably getting sued by pissed-off customers who feel their information was improperly safeguarded.
The information posted online appears to involve over a million users, and includes a variety of data points, including users’ names, genders, birthdays, geographical locations, profile pictures, and genetic ancestry results. The hawker of the data claims that the accounts in question are linked specifically to Ashkenazi Jewish individuals, though some Chinese users are said to have been exposed as well. Included in the supposed haul are accounts apparently connected to a number of celebrities and high-profile individuals, including tech luminaries Elon Musk, Sergei Brin, and Mark Zuckerberg.
23andMe, which has confirmed that the customer data is real, has denied that it was attained via a technical hacking episode, telling Gizmodo in a statement that customer accounts seem to have been infiltrated using previously compromised login credentials. The statement reads, in part:
…we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked.
While it would take a thorough cybersecurity investigation to get to the bottom of those claims, some customers aren’t waiting around for that to happen. A class action lawsuit filed in California accuses 23andMe of shoddy cybersecurity practices and says that the firm’s inadequate digital “safeguards” have now put customers at an elevated risk of fraud and identity theft. The lawsuit seeks damages on behalf of impacted users.
The future of data breaches
Cybersecurity professionals have long warned that the growing biomedical industry is a data disaster waiting to happen. Cybercriminals and nation-state hackers have a keen interest in organizations that store valuable information, and genomics firms—which commodify and store large quantities of human genetic data—are obviously really appealing targets.
23andMe also isn’t the first company in its field to get hacked. Over the last few years, a growing list of genomics companies and labs have suffered similar breaches. Just this summer, the Federal Trade Commission settled with a California company, 1Health.io, for its improper storage and shady practices.
Cybercrime aside, other obvious concerns exist with the genomics industry—notably, its penchant for sharing data with outside parties, like cops and pharmaceutical companies. While 23andMe says it fights hard against requests from law enforcement agencies, other companies aren’t quite so tough. In 2018, 23andMe also made headlines when it controversially announced it would be selling anonymized genetic information to GlaxoSmithKline, one of the largest pharma companies in the world.
In short: finding out how distantly you’re related to Genghis Khan might be fun, but I still wouldn’t recommend sharing your DNA with anyone unless you absolutely have to.