Hardly a week goes by without news of yet another data breach. It happens so often at this point that you might assume all the data about you that could leak already has. You'd be wrong if you've ever given a genetic sample to a company like 23andMe. That genetic testing firm, founded by Anne Wojcicki in 2006, has confirmed that unknown online criminals have acquired a cornucopia of personal data from the site's users, and it's for sale online.
The company says it's currently evaluating the data posted to hacker sites, including the notorious BreachForums. So far, 23andMe has confirmed some data is authentic, but the statement claims there is no evidence of a break-in. "We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts," 23andMe says. The firm claims that the attackers gained access to data by guessing logins, probably from people reusing login credentials that have already leaked.
The data, which is being sold for between $1 and $10 per account, does not contain a full genetic profile. Instead, it lists basic stats like name, sex, and birth year. The database reportedly also contains genetic ancestry information, for example, if someone is "broadly European" or "broadly Asian," reports Wired. This likely came from people who have the DNA Relatives feature enabled, which shares some data with people who share significant genetic markers. There are about 1 million data points specifically about Ashkenazi Jews. This population has highly conserved genetics and is prone to several dangerous hereditary diseases, like Tay Sachs. These traits are heavily studied and are included in the 23andMe analysis.
23andMe was one of the first consumer genetic analysis firms, but it has been followed by a small army of competitors that offer to unlock the secrets in your genes. 23andMe customers supply a vial of saliva to the company, which isolates cells to extract the genetic profile. Early on, it provided a deep but potentially flawed analysis of genetic markers, but the FDA stepped in and forced the company to analyze only a narrower set of verifiable genetic traits. You can still access your raw genetic sequence, but thankfully, that isn't part of the breach.
Just because full genetic sequence data wasn't included in this leak does not mean it can't happen—there are concerns across the industry about privacy in commercial DNA testing. 23andMe encourages customers to use strong, unique passwords and enable two-factor logins. It's not the only company holding genetic data, and we don't know how important that data will be in the future. Security experts worry that just having the basic genetic profiles from this leak could sharpen phishing campaigns. Maybe in the future, threat actors will use your DNA to get a leg up in their next scheme.
