Ancestry services can tell you a lot, but you also have to hand over some very sensitive personal data to them. Your genetic data being sold on the dark web is no joke, and thanks to this ancestry service’s data breach, that’s exactly what’s happening.
Your Genetic Data Is Being Sold Online
DNA testing firm 23andMe suffered a massive data breach in 2023 that ended up leaking genetic data of millions of customers. Hackers were able to breach 14,000 individual accounts and got away with information relating to about 6.9 million individuals listed as possible relations on the site.
The stolen data includes:
- Names
- Birthdays
- Geographical information
- Profile images
- Race
- Health reports
- Ethnicity
- Family trees
Following the data breach, the UK’s Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) announced a joint investigation into the incident in June 2024. One year later, the investigation has concluded with a £2.31 million ($3.13 million) fine for 23andMe for the “profoundly damaging breach” as announced by the ICO.
The investigation also highlighted security mishaps at the time of the breach. The company did not put proper authentication measures in place, with a lack of mandatory multi-factor authentication (MFA) and loose password requirements. 23andMe also didn’t take any measures to prevent accessing and downloading raw genetic data, and did not have “effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information.”
John Edwards, the UK Information Commissioner, explains it best:
23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.
23andMe’s lax attitude in admitting to the breach was also pointed out. The breach first began in April 2023 and lasted until May 2023. However, the company did not confirm the breach and start a full investigation until October 2023, when an employee spotted the stolen data being advertised for sale on Reddit.
Data Protection Begins With You
Unlike passwords and other information that often gets leaked in such data breaches, you can’t simply change your genetic data. Once this data is out there, you’re essentially compromised for life.
Related
After My Data Was Breached, Here’s How I Protected My Accounts
The quicker you move, the safer you’ll be following a data breach of any type.
So while there’s not much you can do in this case except being vigilant about any scamming or identity theft attempts, you can still try and protect yourself from future breaches. Setting up MFA for online accounts and using strong, unique passwords for each account are some of the most basic steps that you should be taking to protect your digital footprint, regardless of whether the service provider mandates them. Protecting your credit rating if you’re affected by a data breach is also important.
Additionally, try to avoid using online services that ask for too much sensitive information in the first place. Sure, it sounds exciting to learn about your ancestry, but this curiosity isn’t worth gambling with extremely sensitive genetic information that can be used for all sorts of malicious purposes.
