TThree years ago, a Florida man named JL decided on a whim to send a tube of his saliva to genetic testing site 23andMe in exchange for an ancestry report. JL Kano, like millions of his 23andMe participants before him, says he was often asked about his ethnicity and sought deeper insight into his identity. He said he was surprised by the variety of test results that showed he was of Ashkenazi Jewish heritage.
JL said he didn't think much of the consequences until he learned that his company had experienced a major breach, exposing the data of nearly 7 million people, about half of the company's customers. To make matters worse, he later revealed that a hacker using the pseudonym “Golem”, who has similar Ashkenazi Jewish ancestry, had access to the names, addresses, and genetic heritage of 23andMe's 1 million customers. , I found out that they were trying to sell it on a dark dark web forum. Suddenly, JL worries that his own rash decision to catalog his genes will put him and his family at risk.
“I didn't know that my family could be targeted,” he said. “I may have put my family and myself at risk by doing it out of curiosity.”
JL, who asked to be identified only by his initials due to ongoing privacy concerns, is one of two plaintiffs in a recent class action lawsuit filed against 23andMe in California. The plaintiffs allege that the company failed to properly notify users who were allegedly of Jewish and Chinese descent. The complaint alleges that the hackers placed these users on a “specially curated list” that may have been sold to individuals seeking to cause harm.
23andMe subsequently confirmed that hackers had accessed 14,000 user accounts over a five-month period last year, exposing detailed and sensitive reports about users' health. The company detailed the exact type of data stolen in the months-long breach in a January data breach notification sent to the California attorney general early last month. Hackers accessed users' “uninterrupted raw genotype data” and other highly sensitive information such as health predisposition reports and carrier status reports collected from processing users' genetic information. . To make matters worse, 23andMe confirmed that the thieves also accessed the personal information of up to 5.5 million other people who opted in to the feature that allows them to find and connect with genetic relatives.
23andMe publicly acknowledged the hacker attack in early October after a user posted on a 23andMe subreddit about data being put up for sale. Further investigation into the incident revealed that hackers were actually attempting to gain access, and sometimes succeeding, since at least April 2023. The attack lasted for nearly five months until the end of September.
A far greater proportion of users disclosed other potentially less sensitive data through 23andMe's opt-in DNA kinship feature. This feature allows the company to automatically share data among other potentially relevant users on the platform. In other words, hackers who accessed users' accounts via compromised passwords were also able to siphon data about potential relatives. This optional feature gives users insight into a variety of data points, including names of relatives, predicted relationships, and percentage of DNA shared with matches. This may also include individual ancestry reports, matching DNA segments, and uploaded photos.
Eli Wade Scott, one of the lawyers representing JL in the class action lawsuit, said these ethnic groupings could amount to a “hit list.” Jay Edelson, another attorney representing these users, worried that the list of users could be attractive to terrorists looking to identify people of Jewish descent. He also said the data could be used by Chinese intelligence agencies, which have a history of monitoring and threatening dissidents abroad, to target those critical of the government and state.
“This is a complete paradigm shift when it comes to the impact of data breaches,” Edelson added.
Months after first learning about Beach's existence, 23andMe sent letters to several customers and filed legal action against the company. The company defended itself by arguing that the breach could not lead to any real-world problems and that “any information that may have been accessed cannot be used for any harm.” It also blamed the hack on users who “inadvertently recycled and failed to update their passwords.” Cybersecurity experts refer to this repeated weaponization of digital keys as “credential stuffing” attacks.
“Accordingly, this incident is not the result of an alleged failure by 23andMe to maintain reasonable security measures,” 23andMe concluded.
But multiple lawyers and genetic privacy experts say the company should have foreseen such attacks coming and taken more steps to protect this highly sensitive and intimate data. states that. “You shouldn't be able to carry out an attack like this for months and go unnoticed by anyone at 23andMe,” he says.
Barbara Preensak, a professor at the University of Vienna who specializes in comparative policy, was herself a 23andMe customer. He said it took the company a long time to protect itself and establish data breach protocols. 23andMe didn't appear to be doing either, she said. “This is almost a textbook example of how things shouldn't be done.”
She added that blaming consumers for their own relatively minor security flaws is “morally and politically foolish.”
23andMe users who are suing the company for negligence appear to agree. They say they would never have purchased the company's kit if they had known how lax its security was. Since the breach, more than 20 23andMe users have filed individual and class action lawsuits accusing the company of negligence and privacy violations. The specifics of each lawsuit vary, but all claim that the company failed to “implement and maintain appropriate security measures.”
“23andMe lied to customers about how it would protect their data, failed to reasonably protect it in accordance with industry standards, lied about the scope and seriousness of the breach, and JL's customers were not notified that they were being specifically targeted, ultimately exposing them to many unforeseen threats and dangers,” JL's complaint states.
The slow-burning data breach scandal added further insult to a company that has fallen rapidly from the top echelon of Silicon Valley exceptionalism in recent years. The company went public in 2021 at a valuation of $3.5 billion. Now its value is around $300 million, a decrease of 91%. 23andMe has never been profitable in its 18-year history. Funding could run out by 2025. In just a few years, the company that once seemed destined to become the “Google of Spitting” has, despite repeated attempts by co-founder and CEO Anne Wojcicki, It's struggling to stay on the Nasdaq market. Allay investor concerns.
Experts said the downstream effects if hackers accessed compromised genetic data remain largely hypothetical. Still, they cautioned that malicious actors with this kind of information and sufficient motivation could use it to identify individuals or even blackmail them by threatening to reveal sensitive information. did. When the data collected in the 23andMe breach is combined with other personal information, sophisticated identity fraud can occur.
Murat Kantarcioglu, a computer science professor at the University of Texas at Dallas, said he could imagine a scenario in which an attacker with data linking an individual to a previously unknown relative threatens to make the relationship public. Stated. Other data that reveals a user's family history with mental health problems could be exploited by employers to pass on people seeking jobs or promotions, Kantarcioglu said. Stated.
As of this writing, 23andMe requires two-factor authentication by default for all users. The additional layer of security, which critics have been demanding for years, was only enabled by default after the breach.
To further confuse matters, legal experts say 23andMe recently made subtle changes to its terms of service, making it more difficult for victims to come together and file large-scale arbitration cases, TechCrunch reports. It means I'm thinking about it. These changes were reportedly made just two days before 23andMe officially disclosed the data breach. 23andMe denies accusations that it changed its terms of service to thwart lawsuits, saying it made the changes to help resolve disputes more quickly.
“In the middle of the night they [23andMe] “We gamed the system and changed the terms to make any kind of large-scale arbitration basically impossible,” Edelson said. Doug McNamara, a partner at Cohen Milstead, described the maneuver as a “desperate attempt to discourage and deter litigation.” [23andMe]” he said in a December interview with TechCrunch.
It's been nearly a year since hackers first attempted to access 23andMe users' accounts, but the company's legal and regulatory concerns are likely just beginning. Apart from the metastatic lawsuit, members of Congress are also involved. In January, New Jersey Democratic Rep. Josh Gottheimer sent a letter to FBI Director Christopher Wray to determine whether the exposed data could be used to target the Jewish community. requested the FBI to launch an investigation into the company. This was announced shortly after Arizona Attorney General Chris Mays sent a letter to 23andMe requesting additional data about the company's security protocols.
Experts are concerned that the ramifications of the 23andMe breach could extend beyond the company itself. Plainsack worries that the fear that comes from a data breach could make people less likely to share their personal health data, not just with 23andMe, but with traditional doctors as well. Lack of trust can make it more difficult to treat patients appropriately.
Cantercioglu of the University of Texas said this is likely not the last data breach of its kind to affect genetic testing companies. “It's hard to understand how much higher the risk is when there are extremist organizations all over the world who call for the murder of Jews,” said JL attorney Edelson. “The way we buy and sell information is like the Defcon One of the privacy world.”
