Lessons from the 23andMe Data Breach: Data Privacy in an Interconnected World

The breach that shook the genomics world wasn't a direct attack on the company's servers; rather, it targeted individual user accounts. These accounts, particularly those with reused or weak passwords, were compromised, providing hackers with access to a goldmine of genetic data. Intriguingly, the breach leveraged a feature known as "DNA relatives matches" within 23andMe, enabling the extraction of information from a broad spectrum of individuals who had utilized the service. This breach led to the filing of four class action lawsuits against 23andMe within a week, all centered on the compromising of users' personal and health data.

This incident prompts us to reevaluate our understanding of privacy, data security, and corporate responsibility in the information-driven economy. Genetic databases have a unique characteristic; when an individual shares their DNA data with a company like 23andMe, it doesn't just reveal information about them but also about their relatives, even if those relatives haven't provided their own DNA samples or given consent for data collection. Essentially, their data becomes interconnected. 

The consequences of neglecting how personal data impacts others extend beyond genetic data and reach into the broader information economy. The interconnected nature of data isn't a coincidence; it's at the core of how businesses operate in the information economy, but it also creates equity issues. Every choice an individual makes about their data has ripple effects on others, potentially leading to repercussions such as:

Identification and Tracking: 

Data can be used to identify and track individuals, even if they haven't directly provided their data. The amalgamation of data from various sources, such as social media profiles, purchase history, and location data, can lead to comprehensive profiling.

Discrimination: 

The stolen genetic information from the 23andMe breach, which includes lists of individuals with specific ancestries, raises concerns about discrimination and harassment, as the leaked data includes names and locations. Furthermore, data related to genetic predispositions, like Type 2 diabetes, Parkinson's disease, or dementia, can also be exploited, potentially resulting in increased insurance premiums and employment discrimination.

Targeted Advertising and Manipulation: 

The interconnection of data enables the creation of highly detailed psychological profiles, allowing for personalized advertising and other forms of manipulation.

Security Risks: 

With interconnected data, data breaches and theft become more likely, as hackers need only compromise one system to access a substantial amount of data. These risks highlight the critical importance of robust data security measures and the protection of individuals' information in our increasingly interconnected digital landscape.

Similar to 23andMe, companies like AncestryDNA, MyHeritage, LivingDNA, and FamilyTreeDNA also collect and use interconnected personal data. This means that these companies collect genetic data from their users and use it to provide a variety of services, such as ancestry tracing, health risk assessment, and personalized genetic counseling. 23andMe isn't the first to experience a data breach; other companies that have faced data breaches include:
 

• Veritas Genetics, a DNA testing startup, experienced a data breach in its customer-facing portal, resulting in unauthorized access to some customer information. The company did not specify when the breach occurred or provide details on the stolen data but stated that only a few customers were affected and denied that data had been stolen. While the breach did not compromise personal health information, it raises concerns about the security of genetic testing companies in safeguarding user data, particularly given the growing privacy issues in the genetics testing industry, with law enforcement gaining access to DNA databases for criminal investigations.

• Vitagene, a genetic testing company, discovered that one of its AWS databases had exposed consumer data, including users' full names, birth dates, genetic health information, and other medical conditions. The breach involved around 300 files with raw genetic DNA information, some of which included users' names, as well as 1,401 user files stored with a less secure setting that was typically intended for employee access. While the database also contained some user contact details like email addresses, no credit card information, passwords, or financial data was compromised in the incident.

Related topic: Navigating the Road of Data Privacy: What Your Car Knows About You

When sharing sensitive personal data, such as health information, it's essential to prioritize privacy protection given the sensitive nature of genetic information and the potential risks associated with its exposure. Some actionable steps include:

Read Privacy Policies Carefully: 

Before using a DNA testing service, thoroughly review their privacy policies and terms of service. Ensure you understand how your genetic data will be collected, stored, and shared.

Enable Two-Factor Authentication (2FA): 

To protect your DNA Test account, enable two-factor authentication (2FA) and use a strong password. 2FA provides an extra layer of security by requiring you to enter a phone code in addition to your password when logging in.

Strong Passphrase

Instead of using a single word, use a passphrase. Passphrases are longer and more secure. Take a memorable phrase's first letters, numbers, and punctuation to create a seemingly random combination of characters – also, substitute letters with numbers or symbols for added complexity. 

Related topic: Passkeys and Data Privacy: A Secure Path to a Passwordless Future

Review Sharing Options: 

DNA testing services often allow you to share your genetic data with relatives or other users. Carefully review and customize these sharing options to control who can access your data.

Opt-Out of Data Sharing: 

Some services may use your data for research purposes or share it with third parties. Check if there's an option to opt out of such data sharing or participation in research studies.

Regularly Update Privacy Settings: 

Periodically revisit your privacy settings on the DNA testing platform to ensure that your data is protected according to your preferences.

Be Cautious with Third-Party Apps: 

Some DNA testing services offer third-party apps or tools to interpret your genetic data. Be cautious when granting access to these apps and review their privacy policies.

Practice Data Minimization:

Only share necessary information when utilizing DNA testing services. Minimize the data you provide to the essential details required for the testing purpose. Avoid sharing excessive or unnecessary personal information.

Regularly Review and Delete Data:

Periodically review and manage your stored genetic data. Delete any information that is no longer needed or relevant. Many services allow users to delete their data; take advantage of this feature when you no longer require the stored information.

Stay informed: 

Educate yourself about the latest privacy concerns, data retention policies and potential risks associated with genetic testing. Being aware of the evolving landscape can help you make more informed decisions. Keep an eye on news related to data breaches or security incidents involving DNA testing companies. If a breach occurs, take appropriate steps to secure your accounts and data.

Related topic: Understanding and Implementing Data Protection Basics – Get Informed with heyData

 

In an age where our most personal information is increasingly interconnected, it's vital to be proactive in safeguarding our privacy. The 23andMe data breach serves as a stark reminder of the complex web of data sharing and the potential risks it carries. By following these guidelines and staying informed, you can take control of your genetic data and reduce the risks associated with its exposure.