Some 6.9 million 23andMe clients had their information compromised after an nameless hacker accessed user profiles and posted them on the market on the web earlier this 12 months, the corporate mentioned on Monday.
The compromised information included customers’ ancestry data in addition to, for some customers, health-related information primarily based on their genetic profiles, the corporate mentioned in an e mail.
Privateness advocates have lengthy warned that sharing DNA with testing firms like 23andMe and Ancestry makes customers weak to the publicity of delicate genetic data that may reveal well being dangers of people and those that are associated to them.
Within the case of the 23andMe breach, the hacker solely instantly accessed about 14,000 of 23andMe’s 14 million clients, or 0.1%. However on 23andMe, many customers select to share data with individuals they’re genetically associated to — which might embrace distant cousins they’ve by no means met, along with direct relations — with the intention to study extra about their very own genetics and construct out their household bushes. So by these 14,000 accounts, the hacker was capable of entry details about thousands and thousands extra. A a lot smaller subset of consumers had well being information accessed.
Customers can select whether or not to share completely different sorts of information, together with identify, location, ancestry and well being data equivalent to genetic predisposition to situations equivalent to bronchial asthma, nervousness, high-blood strain and macular degeneration.
The publicity of such data may have regarding ramifications. Within the US, well being data is often protected by what’s often known as the Well being Insurance coverage Portability and Accountability Act, or HIPAA. However such protections solely apply to health-care suppliers.
The 2008 Genetic Data Nondiscrimination Act (GINA), protects in opposition to discrimination in employment and medical insurance ought to data from a DNA check make it out into the wild. This goals to guard people from being denied a job or insurance coverage protection if, for instance, a DNA check reveals they’re liable to finally growing a debilitating situation.
However the regulation has loopholes; each life insurers and incapacity insurers, for instance, are free to disclaim individuals insurance policies primarily based on their genetic data.
There have been different high-profile hacks of DNA testing firms. However 23andMe is the primary breach of a serious firm through which the publicity of well being data was publicly disclosed. (The Federal Commerce Fee not too long ago ordered a smaller agency, Vitagene, to strengthen protections after well being data was exposed.)
The hacker appeared to make use of what’s often known as credential stuffing to entry buyer accounts, logging into particular person 23andMe accounts by utilizing passwords that had been recycled and used for different web sites that have been beforehand hacked. The corporate mentioned there was no proof of a breach inside its personal methods.
For the reason that hack, the corporate announced that it’ll require two-factor authentication with the intention to defend in opposition to credential-stuffing assaults on the location. It has mentioned it expects to incur $1 million to $2 million in prices associated to the breach.
