Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Genetic Data. Show all posts
Technology
Atlas Biomed customer complaints Cyber Security data security disappearing reports DNA testing GDPR protection Genetic Data Russia links Sensitive Information Technology

DNA Testing Firm Atlas Biomed Vanishes, Leaving Customers in the Dark About Sensitive Data

A prominent DNA-testing company, Atlas Biomed, appears to have ceased operations without informing customers about the fate of their sensitive genetic data. The London-based firm previously offered insights into genetic profiles and predispositions to illnesses, but users can no longer access their online reports. Efforts by the BBC to contact the company have gone unanswered.

Customers describe the situation as "very alarming," with one stating they are worried about the handling of their "most personal information." The Information Commissioner’s Office (ICO) confirmed it is investigating a complaint about the company. “People have the right to expect that organisations will handle their personal information securely and responsibly,” the ICO said.

Several customers shared troubling experiences. Lisa Topping, from Essex, paid £100 for her genetic report, which she accessed periodically online—until the site vanished. “I don’t know how comfortable I feel that they have just disappeared,” she said.

Another customer, Kate Lake from Kent, paid £139 in 2023 for a report that was never delivered. Despite being promised a refund, the company went silent. “What happens now to that information they have got? I would like to hear some answers,” she said.

Attempts to reach Atlas Biomed have been fruitless. Phone lines are inactive, its London office is vacant, and social media accounts have been dormant since mid-2023.

The firm is still registered as active with Companies House but has not filed accounts since December 2022. Four officers have resigned, and two current officers share a Moscow address with a Russian billionaire who is a former director. Cybersecurity expert Prof. Alan Woodward called the Russian links “odd,” stating, “If people knew the provenance of this company and how it operates, they might not trust them with their DNA.”

Experts highlight the risks associated with DNA testing. Prof. Carissa Veliz, author of Privacy is Power, warned, “DNA is uniquely yours; you can’t change it. When you give your data to a company, you are completely at their mercy.”

Although no evidence of misuse has been found, concerns remain over what has become of the company’s DNA database. Prof. Veliz emphasized, “We shouldn’t have to wait until something happens.”
Read more »
sale concerns
23andMe ancestry testing Cybersecurity Data Breach data deletion DNA privacy financial decline Genetic Data Genetic testing HIPAA Personal Data privacy policies sale concerns

23andMe Faces Uncertainty After Data Breach

 

DNA and genetic testing firm 23andMe is grappling with significant challenges following a 2023 data breach and its ongoing financial downturn. Once a leader in the industry, the company now faces an uncertain future as it considers going private, raising concerns about the security of genetic data for its 15 million customers.

Known for its saliva-based genetic ancestry tests, 23andMe has seen its market value plummet by over 99% since its $6 billion high in 2021, largely due to unprofitability. This lack of profit is attributed to declining consumer interest in its one-time-use test kits and sluggish growth in its subscription services. Compounding these issues was a lengthy data breach in 2023, where hackers stole genetic data from nearly 7 million users. In September, the company agreed to pay $30 million to settle a lawsuit related to the breach.

Shortly after the settlement, 23andMe CEO Anne Wojcicki mentioned the possibility of third-party takeover offers but later clarified her intent to take the company private. The initial statement, however, led to the immediate resignation of the company's independent board members, amplifying concerns about the future handling of customer data.

Many customers may assume their genetic data is protected by health privacy laws, but 23andMe is not bound by the Health Insurance Portability and Accountability Act (HIPAA). Instead, the company follows its own privacy policies, which it can alter at any time. According to a company spokesperson, 23andMe believes its data management practices are more appropriate and transparent compared to the traditional healthcare model under HIPAA.

The lack of strict federal oversight and varying state privacy laws means that in the event of a sale, the genetic data of millions could be up for grabs. Wojcicki has signaled a shift in the company's business strategy, halting costly drug development programs to focus on monetizing its customer data for pharmaceutical research.

While 23andMe asserts its data privacy policies would remain unchanged even if sold, privacy advocates have raised alarms. The Electronic Frontier Foundation (EFF) has warned that selling the company to entities with law enforcement ties could lead to misuse of sensitive genetic information.

For those concerned about the future of their data, 23andMe allows users to delete their accounts, though some data may still be retained under legal and compliance requirements.
Read more »
Privacy
23andMe Cyber Crime Cybersecurity Data Breach Genetic Data Privacy

23andMe Faces Privacy Breach

 


Recently, 23andMe, a prominent genetic testing provider, finds itself grappling with a substantial security breach spanning five months, from April 29 to September 27. This breach has exposed the health reports and raw genotype data of affected customers, shedding light on vulnerabilities in safeguarding personal genetic information. We need to look closely to extrapolate the implications of this breach on the privacy of your genetic data.

The breach occurred through a credential stuffing attack, where attackers used stolen credentials from other data breaches or compromised online platforms. The compromised information, including data for 1 million Ashkenazi Jews and 4.1 million individuals in the UK, was posted on hacking forums like BreachForums and the unofficial 23andMe subreddit.

The stolen data includes sensitive information such as health reports, wellness reports, carrier status reports, and self-reported health conditions. 23andMe also acknowledged that for users of the DNA Relatives feature, the attackers might have scraped DNA Relatives and Family Tree profile information.

The exposed information encompasses ancestry reports, matching DNA segments, self-reported locations, ancestor birth locations, family names, profile pictures, birth years, and details from the "Introduce yourself" section.

To address the breach, 23andMe took action by requiring all customers to reset their passwords on October 10. Additionally, since November 6, the company mandated two-factor authentication for all customers to enhance security and block future credential-stuffing attempts.

The data breach affected 6.9 million people out of the existing 14 million customers, with 14,000 user accounts breached. Approximately 5.5 million individuals had their data scraped through the DNA Relatives feature, and 1.4 million via the Family Tree feature.

This security incident led to the filing of multiple lawsuits against 23andMe. In response, the company updated its Terms of Use on November 30, making it more challenging for customers to join class-action lawsuits against them. The updated terms state that disputes should be resolved individually rather than through class actions or collective arbitration.

While 23andMe claims that these changes were made to streamline the arbitration process and enhance customer understanding, the incident underscores the importance of safeguarding personal genetic information.

Looking at the bigger picture 23andMe faced a significant data breach that exposed sensitive customer data for months. The breach prompted the company to implement security measures like password resets and two-factor authentication. Despite these efforts, the incident resulted in lawsuits, leading to changes in the company's Terms of Use. This event highlights the need for advanced security measures in the genomics and biotechnology industry, emphasising the importance of protecting users' personal information.


Read more »
new technologies
23andMe cyber attack Data Theft data vulnerabilities Genetic Data new technologies

Genetic Tester 23andMe’s Stolen Data of Jewish Users Sold Online

 


Ashkenazi Jews have been targeted in a Cyberattack, according to the reports malicious actors are advertising the sale of data sets containing names, addresses, and ethnic backgrounds of potentially millions of customers from the genetic testing firm 23andMe. They initially highlighted a batch that specifically includes information about individuals with Jewish heritage. 

On hacker forums, a snippet of the breached data was shared, particularly on a website where the perpetrators asserted that the sample encompassed 1 million data entries pertaining to Ashkenazi Jewish individuals. 

Additionally, as per Wired's report, on Wednesday, the malicious group put up data profiles for sale, pricing them between $1 and $10 per account. The sample allegedly contains entries for prominent tech figures such as Mark Zuckerberg and Elon Musk. 

However, the authenticity of these entries remains uncertain. While an inquiry into the data's authenticity is underway, the disclosed information aligns with an internal company scenario. This situation involved certain accounts being compromised, which in turn facilitated unauthorized access to additional data via 23andMe's DNA Relatives feature. 

The customer profile details were obtained by gaining entry into individual accounts, but it's important to note that the company's overall security was not compromised. The compromised data does not seem to encompass the raw genetic data that the company processes. Instead, it comprises particulars such as gender, birth year, genetic lineage findings, and geographical ancestry information. 

“We do not have any indication at this time that there has been a data security incident within our systems, rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” a spokesperson from 23andMe reported to Forbes. 

DNA testing companies like 23andMe have come under scrutiny from privacy advocates and regulators due to concerns about handling sensitive genetic data. A privacy specialist from Stanford University pointed out in 2021 that a critical question revolves around where genetic data is being sent and why various companies and investors have a financial interest in it. 

23andMe, having gone public via a Richard Branson SPAC two years ago, provides consumers with both ancestral information and health advice. This includes personalized dietary recommendations and insights into potential genetic predispositions to diseases or conditions. The company consistently emphasizes that user data is only shared externally through opt-in agreements and, when shared, is meticulously anonymized for privacy protection. 

What could be the future cybersecurity risks associated with sharing sensitive genetic data: 

1. Cybersecurity Breaches: Despite robust security measures, there is an ongoing risk of cyber-attacks that could compromise the confidentiality and integrity of genetic data. 

2. Data Exploitation for Identity Theft: Stolen genetic data could potentially be used in sophisticated identity theft schemes, undermining personal security measures. 

3. Targeted Cyber Threats: Individuals with identifiable genetic markers may become targets for cyber threats, including phishing attempts or social engineering attacks. 

4. Ransomware and Extortion: Cybercriminals may use sensitive genetic data as leverage for extortion, demanding payments or other concessions in exchange for not disclosing or misusing the information. 

5. Biometric Authentication Risks: As genetic data plays a role in biometric authentication, unauthorized access to this information poses a direct threat to security measures relying on biometric factors. 

6. Healthcare Data Integration Risks: The integration of genetic data with electronic health records introduces new attack vectors, potentially leading to unauthorized access or manipulation of health-related information. 

7. Distributed Denial-of-Service (DDoS) Attacks: Genetic testing companies and associated platforms may become targets of DDoS attacks, disrupting services and compromising data availability. 

8. Third-party Vendor Vulnerabilities: If genetic data is shared with third-party vendors, their cybersecurity practices and vulnerabilities could directly impact the security of the data. 

9. Pharming Attacks: Cybercriminals might create fake websites or services claiming to offer genetic testing, leading individuals to unknowingly disclose sensitive information. 

10. Social Engineering Exploits: Cybercriminals may use information from genetic data to craft convincing social engineering attacks, aiming to deceive individuals into revealing further personal or financial details. 

It is imperative for individuals to exercise caution and seek services from reputable, well-secured platforms when dealing with genetic data. Additionally, organizations handling genetic information should prioritize robust cybersecurity measures to protect against these potential risks.
Read more »
Subscribe to: Posts (Atom)