Cybersecurity & Risk ManagementIndustry Insights & News

Lessons from the 23andMe Data Breach: Data Privacy in an Interconnected World

Lessons from the 23andMe Data Breach
252x252-arthur_heydata_882dfef0fd.jpg
Arthur
18.12.2023

In a world driven by information, the recent 23andMe data breach has cast a glaring spotlight on the vulnerabilities within our interconnected data landscape. This breach not only exposed the sensitive genetic information of countless individuals but also emphasized the far-reaching consequences of interconnected data in our digital age.

Table of Contents:

The 23andMe Data Breach

The breach that shook the genomics world wasn't a direct attack on the company's servers; rather, it targeted individual user accounts. These accounts, particularly those with reused or weak passwords, were compromised, providing hackers with access to a goldmine of genetic data. Intriguingly, the breach leveraged a feature known as "DNA relatives matches" within 23andMe, enabling the extraction of information from a broad spectrum of individuals who had utilized the service. This breach led to the filing of four class action lawsuits against 23andMe within a week, all centered on the compromising of users' personal and health data.


 

The interconnected nature of personal data and the rise of privacy concerns

This incident prompts us to reevaluate our understanding of privacy, data security, and corporate responsibility in the information-driven economy. Genetic databases have a unique characteristic; when an individual shares their DNA data with a company like 23andMe, it doesn't just reveal information about them but also about their relatives, even if those relatives haven't provided their own DNA samples or given consent for data collection. Essentially, their data becomes interconnected. 

The consequences of neglecting how personal data impacts others extend beyond genetic data and reach into the broader information economy. The interconnected nature of data isn't a coincidence; it's at the core of how businesses operate in the information economy, but it also creates equity issues. Every choice an individual makes about their data has ripple effects on others, potentially leading to repercussions such as:

Identification and Tracking: 

Data can be used to identify and track individuals, even if they haven't directly provided their data. The amalgamation of data from various sources, such as social media profiles, purchase history, and location data, can lead to comprehensive profiling.

Discrimination: 

The stolen genetic information from the 23andMe breach, which includes lists of individuals with specific ancestries, raises concerns about discrimination and harassment, as the leaked data includes names and locations. Furthermore, data related to genetic predispositions, like Type 2 diabetes, Parkinson's disease, or dementia, can also be exploited, potentially resulting in increased insurance premiums and employment discrimination.

Targeted Advertising and Manipulation: 

The interconnection of data enables the creation of highly detailed psychological profiles, allowing for personalized advertising and other forms of manipulation.

Security Risks: 

With interconnected data, data breaches and theft become more likely, as hackers need only compromise one system to access a substantial amount of data. These risks highlight the critical importance of robust data security measures and the protection of individuals' information in our increasingly interconnected digital landscape.


Similar to 23andMe, companies like AncestryDNA, MyHeritage, LivingDNA, and FamilyTreeDNA also collect and use interconnected personal data. This means that these companies collect genetic data from their users and use it to provide a variety of services, such as ancestry tracing, health risk assessment, and personalized genetic counseling. 23andMe isn't the first to experience a data breach; other companies that have faced data breaches include:
 

  • Veritas Genetics, a DNA testing startup, experienced a data breach in its customer-facing portal, resulting in unauthorized access to some customer information. The company did not specify when the breach occurred or provide details on the stolen data but stated that only a few customers were affected and denied that data had been stolen. While the breach did not compromise personal health information, it raises concerns about the security of genetic testing companies in safeguarding user data, particularly given the growing privacy issues in the genetics testing industry, with law enforcement gaining access to DNA databases for criminal investigations.

 

  • Vitagene, a genetic testing company, discovered that one of its AWS databases had exposed consumer data, including users' full names, birth dates, genetic health information, and other medical conditions. The breach involved around 300 files with raw genetic DNA information, some of which included users' names, as well as 1,401 user files stored with a less secure setting that was typically intended for employee access. While the database also contained some user contact details like email addresses, no credit card information, passwords, or financial data was compromised in the incident.

Related topic: Navigating the Road of Data Privacy: What Your Car Knows About You

Protecting your privacy when using DNA testing services

When sharing sensitive personal data, such as health information, it's essential to prioritize privacy protection given the sensitive nature of genetic information and the potential risks associated with its exposure. Some actionable steps include:


Read Privacy Policies Carefully: 

Before using a DNA testing service, thoroughly review their privacy policies and terms of service. Ensure you understand how your genetic data will be collected, stored, and shared.

Enable Two-Factor Authentication (2FA): 

To protect your DNA Test account, enable two-factor authentication (2FA) and use a strong password. 2FA provides an extra layer of security by requiring you to enter a phone code in addition to your password when logging in.

Strong Passphrase

Instead of using a single word, use a passphrase. Passphrases are longer and more secure. Take a memorable phrase's first letters, numbers, and punctuation to create a seemingly random combination of characters – also, substitute letters with numbers or symbols for added complexity. 


Related topic: Passkeys and Data Privacy: A Secure Path to a Passwordless Future


Review Sharing Options: 

DNA testing services often allow you to share your genetic data with relatives or other users. Carefully review and customize these sharing options to control who can access your data.

Opt-Out of Data Sharing: 

Some services may use your data for research purposes or share it with third parties. Check if there's an option to opt out of such data sharing or participation in research studies.

Regularly Update Privacy Settings: 

Periodically revisit your privacy settings on the DNA testing platform to ensure that your data is protected according to your preferences.

Be Cautious with Third-Party Apps: 

Some DNA testing services offer third-party apps or tools to interpret your genetic data. Be cautious when granting access to these apps and review their privacy policies.

Practice Data Minimization:

Only share necessary information when utilizing DNA testing services. Minimize the data you provide to the essential details required for the testing purpose. Avoid sharing excessive or unnecessary personal information.

Regularly Review and Delete Data:

Periodically review and manage your stored genetic data. Delete any information that is no longer needed or relevant. Many services allow users to delete their data; take advantage of this feature when you no longer require the stored information.

Stay informed: 

Educate yourself about the latest privacy concerns, data retention policies and potential risks associated with genetic testing. Being aware of the evolving landscape can help you make more informed decisions. Keep an eye on news related to data breaches or security incidents involving DNA testing companies. If a breach occurs, take appropriate steps to secure your accounts and data.


Related topic: Understanding and Implementing Data Protection Basics – Get Informed with heyData

 

Final notes

In an age where our most personal information is increasingly interconnected, it's vital to be proactive in safeguarding our privacy. The 23andMe data breach serves as a stark reminder of the complex web of data sharing and the potential risks it carries. By following these guidelines and staying informed, you can take control of your genetic data and reduce the risks associated with its exposure.

 


 

Miloš Djurdjević

“Protecting your data is not just a personal responsibility; it's a collective commitment to a safer and more secure digital world.” 

Milos Djurdjevic, 

CEO at heyData 

More articles

NIS2-Part-Two-ENG

NIS2 Directive: Key Steps & Risks of Non-Compliance

The NIS2 Directive, effective from October 17, 2024, imposes stricter cybersecurity requirements across the EU, targeting a broader range of sectors. Non-compliance risks include hefty fines, enforcement actions, reputational damage, operational disruptions, and even criminal sanctions for top management. To comply, organizations need to assess if they fall under the directive's scope, then evaluate and strengthen their cybersecurity measures. This includes enhancing risk management, access controls, incident response, and third-party security. Compliance isn't only about legal adherence but also improving overall security and trust.

Learn more
Blog_Header_31_Jul_2024_How_to_Use_WhatsApp_EN.jpg

How to Use WhatsApp for Business While Staying GDPR Compliant

With over 2 billion users, WhatsApp is a powerful business tool to engage customers. However, compliance with GDPR is a major concern, particularly for the classic WhatsApp and WhatsApp Business apps, which process metadata and access contact data. The WhatsApp Business API, designed for larger businesses, offers a more secure solution, integrating with external Business Solution Providers (BSPs) to ensure data protection. Choosing a BSP in the EU/EEA with proper data management capabilities is crucial for maintaining GDPR compliance and leveraging WhatsApp's reach effectively.

Learn more
8 Steps to Ensure GDPR Compliance for SaaS Companies

8 Steps to Ensure GDPR Compliance for SaaS Companies

GDPR compliance is essential for SaaS companies operating in the EU, protecting personal data and building trust. Non-compliance risks include fines up to €20 million, reputational damage, slower product development, and legal issues. To ensure compliance, businesses should conduct data audits, appoint a Data Protection Officer, adopt privacy-by-design principles, implement consent management systems, manage data subject requests effectively, strengthen security, review vendor agreements, and prepare a breach response plan. These steps enhance trust, ensure compliance, and provide a competitive advantage.

Learn more

Get to know our team today, with no obligations!

Contact us