Hacker working on laptop showing data breach of ancestry information

23andMe Admits Data Breach Leaked the Ancestry Information of Nearly 7 Million Users

Genetic testing company 23andMe has disclosed that the October 2023 data breach leaked genetic ancestry information for millions of users.

The biotech firm discovered the leak when a threat actor began selling stolen users’ genetic information on hacking site BreachFroums.

The trove, priced at $1 to $10 per account depending on the volume purchased, consisted of approximately 1 million data points of Ashkenazi Jewish descendants and 100,000 Chinese ancestry profiles.

The breach also leaked 4 million British genetic profiles and “the wealthiest people living in the U.S. and Western Europe.”

Subsequently, the company launched an investigation and determined that the leak was worse than anticipated.

23andMe data breach leaked ancestry information and health data

According to a new Securities and Exchange Commission (SEC) filing, the threat actors breached “a very small percentage (0.1%) of user accounts,” or roughly 14,000 individuals.

23andMe also confirmed that the data breach stemmed from a credential-stuffing attack impacting users who reused passwords across multiple sites.

According to Chris Denbigh-White, Chief Security Officer at Next DLP, “The wording in 23andMe’s statements positions the intrusion as unauthorized access due to a stolen password, framing the situation as a “breach of their terms of service.” This approach seems aimed at positioning 23andMe and the affected users as victims.”

The SEC filing also disclosed that the hackers accessed information varying by account, which included genetic ancestry information and health-related data for some. Additionally, they accessed a “significant number of files containing profile information about other users’ ancestry.”

According to an additional online statement, the hackers accessed the DNA Relatives profiles of roughly 5.5 million customers after exploiting the “DNA relatives” feature.

That data included family names, profile pictures, birth years, relationship labels, percentage of DNA shared with relatives, predicted relationships, ancestry reports, and self-reported locations.

Another 1.4 million individuals who opted-in to the DNA Relatives profile matching had their “Family Tree profile information” accessed. That information included display names, relationship labels, birth years, and self-reported locations.

Cumulatively, the 23andMe data breach impacted 6.9 million users, accounting for roughly half of the entire company’s customer base.

“It’s concerning to see that only 0.1% of the customer base was affected, but due to the nature of the service, this apparently small percentage has a ripple effect, as the DNA Relatives feature extends the impact of the breach far beyond the initial accounts compromised,” said Javvad Malik, Lead Security Awareness Advocate at KnowBe4.

Meanwhile, the genetic testing company said it was working to remove the stolen personal data from the public domain and believes the threat actor’s activity was contained.

So far, 23andMe has no evidence suggesting that the stolen ancestry information has been misused. The company, which estimated the data breach would cost between $1 million and $2 million to remediate, also found no evidence that hackers breached its internal systems.

Moving forward, 23andMe is requiring two-step verification to log in and has forced existing customers to reset their passwords and enable multi-factor authentication. The company is also temporarily disabling the “DNA Relatives” feature to protect users’ privacy.

“The recent breach at 23andMe is a sobering reminder of the sensitivity of genetic data and the need for robust cybersecurity measures,” said Malik. “The data accessed is not just a collection of email addresses or passwords, but intimate details of an individual’s genetic makeup – information that could have serious implications for privacy and could potentially be misused.”

Leaked ancestry information may be abused

Individuals whose ancestry information was leaked online could face severe and lasting consequences. They could experience discrimination or racial profiling based on their ethnic origins or stigmatization due to their predisposition to certain health conditions.

Possible abusers of leaked ancestry information include employers, insurance companies, and law enforcement. However, the 2008 Genetic Information Nondiscrimination Act (GINA) protects victims from DNA-based discrimination and profiling.

Additionally, family secrets and undisclosed relationships could leak out and scandalize the victims, ruining their reputations. Subsequently, hackers could leverage compromised ancestry information to extort them by threatening to expose them unless they pay a ransom.

According to Ted Miracco, CEO of Approov, exposed “family tree information, and genetic data exceeds the conventional threat posed by compromised credit cards and social security numbers.”

It remains unclear why 23andMe omitted crucial details in the SEC filing and only released them in subsequent media and online statements.

“There’s an element of transparency that needs to be addressed,” noted Malik. “23andMe’s lack of specifics about the scope of the breach leaves many questions unanswered, which does not instill confidence. “It’s critical for them to provide a clear account of the incident and outline the steps they’re taking to prevent similar breaches in the future, along with what measures are being taken to support affected users.”

The genetic testing company is in the process of notifying impacted users and could include more details in the notification letters. According to George McGregor, VP of Approov, 23andMe’s response made for a “good case study in how to not handle a breach.”

“It’s difficult at this point to be confident that no more bad news will be forthcoming. In addition, there has still (as of December 4th) been no direct communication to users. Let it be a lesson for others to ensure a solid data breach plan is in place!” noted McGregor.

Lamenting the astounding lack of transparency, Nick Tausek, Lead Security Automation Architect at Swimlane, emphasized the need for companies with sensitive genetic information of millions of individuals to prioritize their cybersecurity defenses.

“A preventative approach should be utilized to ensure that breaches of this size do not occur,” said Tausek. “This includes both threat detection and response. By integrating a low-code security automation platform, organizations can expand visibility beyond the SOC in real-time, creating a more efficient response to threat actors.”

Also indicating that a simple apology cannot fix the situation, Tausek warned that the data breach impact could extend far and beyond, significantly hurting the company’s reputation and raising shareholders’ concerns.