7 Million Affected By DNA Website Breach

John Lister's picture

DNA and ancestry site 23andMe has admitted nearly 7 million customers are affected by a data breach. Both the breach itself and the way the site organizes its data contributed to what could be a legal disaster for the company.

23andMe is named after the number of segments of DNA that people share with each parent. The service involves customer submitting a DNA sample to be used either to check for genetic health conditions, get information about ancestry such as ethnic origin, or both. Customers can also agree to be put in touch with other customers when a DNA match suggest a possible family relationship.

The company recently admitted that a data breach meant "threat actors" access personal data about 0.1 percent of customers, which would be around 14,000 people. It also said other files were affected but only revealed the scope as "a significant number." (Source: theguardian.com)

Data Limits Breached

It's now admitted that the number affected is actually 6.9 million. That's made up of 5.5 million who agreed to share some data with potential relatives. This includes name, year of birth, location (self-reported), and the percentage of DNA shared with relatives. A further 1.4 million users had information from their "Family Tree" profile revealed. (Source: techcrunch.com)

In other words, the hackers not only accessed the data of the 14,000 people whose records they found, but also information shared by other users. Of course, these users agreed to the sharing under the belief it would only be revealed to potential matches and otherwise kept unavailable.

It's important to note that only the 14,000 breached records contain full genetic data. The 6.9 million records accessed via the link "merely" contain personal information.

Data For Sale

Some user records have already been published online, apparently by the hackers in an attempt to prove their claim to hold the stolen data. They have offered to sell the data, though it's possible they could ask for a ransom to keep the data confidential. 23andMe hasn't spoken publicly about any such demands or negotiations.

The breach will likely provoke legal problems and debate about the wisdom of such services. Aside from any legal action that customers bring, 23andMe could face regulatory action under multiple privacy laws. These often include enhanced penalties for breaches involving sensitive personal data.

At the same time, more cynical analysts are already suggesting this proves customers were exceptionally unwise to provide genetic material to a private company.

What's Your Opinion?

What consequence should 23andMe face? Do you have sympathy with the affected customers? Does private company use of DNA information need tighter regulation or is it a case of buyer beware?

Rate this article: 
Average: 4.7 (7 votes)


nospam_5346's picture

Though I have to admit I have at times been curious, my natural distrust of such things has always won out.

A data breach is just one of the things that keeps me away.

Another is the access law enforcement has and another is possible future access and use by insurance companies using it to deny coverage.

Their liability rests solely, I believe, on the user consent form the customers signed. People should know by now that anything stored online is hackable.

Unrecognised's picture

Exactly. Simply do not provide companies with real information about yourself, if possible.