Recently, 23andMe, a prominent genetic testing provider, finds itself grappling with a substantial security breach spanning five months, from April 29 to September 27. This breach has exposed the health reports and raw genotype data of affected customers, shedding light on vulnerabilities in safeguarding personal genetic information. We need to look closely to extrapolate the implications of this breach on the privacy of your genetic data.
The breach occurred through a credential stuffing attack, where attackers used stolen credentials from other data breaches or compromised online platforms. The compromised information, including data for 1 million Ashkenazi Jews and 4.1 million individuals in the UK, was posted on hacking forums like BreachForums and the unofficial 23andMe subreddit.
The stolen data includes sensitive information such as health reports, wellness reports, carrier status reports, and self-reported health conditions. 23andMe also acknowledged that for users of the DNA Relatives feature, the attackers might have scraped DNA Relatives and Family Tree profile information.
The exposed information encompasses ancestry reports, matching DNA segments, self-reported locations, ancestor birth locations, family names, profile pictures, birth years, and details from the "Introduce yourself" section.
To address the breach, 23andMe took action by requiring all customers to reset their passwords on October 10. Additionally, since November 6, the company mandated two-factor authentication for all customers to enhance security and block future credential-stuffing attempts.
The data breach affected 6.9 million people out of the existing 14 million customers, with 14,000 user accounts breached. Approximately 5.5 million individuals had their data scraped through the DNA Relatives feature, and 1.4 million via the Family Tree feature.
This security incident led to the filing of multiple lawsuits against 23andMe. In response, the company updated its Terms of Use on November 30, making it more challenging for customers to join class-action lawsuits against them. The updated terms state that disputes should be resolved individually rather than through class actions or collective arbitration.
While 23andMe claims that these changes were made to streamline the arbitration process and enhance customer understanding, the incident underscores the importance of safeguarding personal genetic information.
Looking at the bigger picture 23andMe faced a significant data breach that exposed sensitive customer data for months. The breach prompted the company to implement security measures like password resets and two-factor authentication. Despite these efforts, the incident resulted in lawsuits, leading to changes in the company's Terms of Use. This event highlights the need for advanced security measures in the genomics and biotechnology industry, emphasising the importance of protecting users' personal information.