The October data breach at 23andMe, a leading ancestry tracking website, has taken a more sinister turn as it has been confirmed to have affected a staggering 6.9 million users, much worse than the initially reported 14,000 users. The breach, which took place in October, has resulted in the theft of sensitive personal information, including users’ full names, birth years, relationship labels, and locations. Furthermore, approximately 1.4 million users had their Family Tree profile information compromised, allowing hackers to access genetic information, including details about common DNA percentages shared with relatives and specifics such as chromosome matching.
The stolen data has already been put up for sale on the black market, with several ethnic groups being targeted. According to reports, individuals’ information is being sold for $1 to $10 per data set, making it a lucrative business for cybercriminals. This sensitive information can be used for nefarious purposes, such as identity theft, discrimination, and even medical record tampering.
In an effort to avoid responsibility for the breach, 23andMe has attempted to shift the blame to its users, claiming that the hack occurred due to members reusing passwords from other accounts. This common cyberattack, known as credential stuffing, allowed hackers to collect already leaked passwords and access the initial 14,000 accounts. From there, they were able to span through more of the company’s database to steal information.
However, experts argue that this is no excuse for the breach, especially since Genetic information is particularly sensitive and should be treated with the utmost care. The fact that 23andMe did not have adequate cybersecurity measures in place, including two-factor authentication, makes it complicit in the breach.
The implications of the breach are far-reaching, with experts warning that genetic data in the wrong hands can be used to make deductions about individuals based on health information, such as a diagnosis or medical family history. This raises serious concerns about privacy and data protection, particularly in the age of genetic testing and the increasing importance of genetic information in medical and insurance industries.
In related news, Meta (formerly Facebook) recently settled a $725 million class-action lawsuit for leaving users’ and their friends’ data exposed to third parties for profit. Similarly, the 23andMe breach has the potential to have genetic data in the wrong hands be used for illegal purposes, such as identity theft, discrimination, and medical record tampering.
To make matters worse, 23andMe has apparently attempted to silence its users by mandating that any legal complaints about the breach must be resolved outside of court. This means that users will not be able to participate in a class-action lawsuit unless they opt out of a private dispute resolution. Users who want to file a class-action lawsuit must collectivity opt out of a private dispute by emailing [email protected] within 30 days of the update, which is December 30. This information is detailed at the end of the fifth section of the 23andMe terms of service update.
The 23andMe data breach is a staggering reminder of the dangers of inadequate cybersecurity measures and the importance of protecting sensitive personal information. As the use of genetic testing and genetic information continues to grow, it is essential that companies like 23andMe take proactive steps to ensure the confidentiality and integrity of genetic data.