Subscriber OnlyTechnology

Getting your DNA tested can have disturbing results

Data breach at 23andMe highlights need for regulation as genetic background and other information hacked and offered for sale

The 23andMe breach: Hackers gained access to what they claim are 'millions' of pieces of sensitive personal information and are offering that information on the dark web.
The 23andMe breach: Hackers gained access to what they claim are 'millions' of pieces of sensitive personal information and are offering that information on the dark web.

A breach of sensitive user data from DNA company 23andMe last week has clearly demonstrated that spitting into a small plastic tube can have unforeseen and disturbing consequences.

Security and digital rights experts have long warned about using increasingly popular DNA analysis services, which generally rely on saliva samples. The industry remains largely unregulated (still!) though the data produced is extremely sensitive. If accounts are compromised, little can be done. You can get a credit card reissued, but you can’t change or re-cloak your DNA.

Still, people find it difficult to visualise what might be done with their DNA details. Learning about heritage or health profiles continues to have strong appeal. And for some, such services can be an important tool – not ideal, but sometimes the only feasible one available – for adopted people to find birth parents or relatives.

So far, one of the few well-publicised real-world examples of how DNA results can be exploited has received a largely affirmative spin: when law enforcement investigators used publicly available genealogy databases to crack long-standing cold murder cases, such as the resolution of the Golden State Killer case in 2018.

READ MORE

The 23andMe breach is an important counternarrative, revealing the possible consequences of taking DNA tests and sharing that information to genealogy websites. Hackers gained access to what they claim are “millions” of pieces of sensitive personal information and are offering that information on the dark web, in a huge breach that 23andMe has confirmed and is investigating.

Future of Genuity’s Irish DNA database is worryingly uncertainOpens in new window ]

According to people who have examined the 23andMe data, someone on the dark web platform BreachForums was offering a list of a million people with Ashkenazi Jewish background taken from 23andMe profiles. According to Wired , the data points also appear to include information on several hundred thousand 23andMe users of Chinese descent.

Like many DNA-testing services, 23andMe offers users options to test for genetic markers for ancestry, as well as specific health conditions. The company tests for 47 different “populations” and expresses any population that appears in a sample as a percentage of a user’s ancestry. That means that the list of a million individuals would likely include people with as little as 1 per cent Ashkenazi ancestry.

Also on offer were the usernames, sex, birth dates, and location information for the accounts. Such information was being sold for $1-10 per account.

The accounts do not appear to include the kind of detailed health information an individual might opt for from 23andMe, such as whether someone has genetic markers for conditions such as various cancers, Alzheimer’s or Parkinson’s.

Using DNA to solve a family mystery: ‘It brought great comfort to some of the older relatives’Opens in new window ]

So, according to experts, and 23andMe, it doesn’t seem that millions of individual accounts were hacked, and full genetic testing results obtained. Instead, hackers gained access to data using a “credential stuffing” attack whereby they got usernames and passwords from some past, entirely separate data breach and then – because people often reuse names and passwords – they tried them, with evident success, on some 23andMe accounts.

Hackers only needed to access a few accounts to be able to scrape data from 23andMe using the company’s “DNA relatives” feature, which lets users connect to others sharing similar ancestry, even if distantly. Users have to opt in to share their results in this way. News outlets reported that the list seems to be a random collection of accounts that indicate some degree of Ashkenazi heritage.

This was a shockingly easy, uncomplicated hack. The perpetrators didn’t even need to access a person’s individual account or their full profile to gain potentially sensitive information about them.

In this case, a popular feature for sharing data to find “DNA relatives” was exploited to acquire information that could be used for identity theft, harassment, bullying or physical targeting and not just of an individual but, potentially, their families and relatives.

Red faces at Central Bank over data breachOpens in new window ]

The hack raises – yet again – pressing questions about how DNA-testing companies are run and regulated, including whether companies adequately inform users of potential risks, or for that matter, the realities of the user agreements they sign up to.

Why don’t companies dealing in such sensitive information (or their regulators) require even the basic, better security of two-factor authentication? Because 23andMe doesn’t, perhaps a million people have been impacted by the relatively simple compromising of a few (of probably many) accounts that reused login credentials across other websites.

Should DNA companies be offering the ability to share DNA profiles to match DNA connections, given that this also may genetically identify millions of other people who never opted in to be profiled in this way?

And there are so many other concerns, from the debatable accuracy and lack of context for many of these commercially marketed genetic health markers, to the fact that DNA companies make money by selling DNA profile information to third parties.

This hack is a potential nightmare for those affected. But perhaps it will serve as a turning point in how people, and more critically, regulators, understand and interact with the whole commercial DNA sector. Far more is at stake than learning about personal gluten intolerance or family trees.