The genetics company 23andMe is looking into another data leak. A few weeks ago, a hacker published a trove of stolen user data on the internet. On Tuesday, the same hacker claimed to have leaked another 4 million genetic profiles, posting this latest tranche of data on the hacking site BreachForums.
Data leak legitimacy
“We are currently reviewing the data to determine if it is legitimate,” says Katie Watson, Vice President of Communications for 23andMe. “Our investigation is ongoing and if we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information.”
In relation to the previous data leak, 23andMe has ascertained that the data was legitimate, and that it affected the platform’s DNA Relatives feature, which allows users to match with potential genetic relatives on the platform.
The most recent leak also involves 23andMe’s DNA Relatives feature. The hacker responsible for the leak may have extracted and exploited information about individuals with whom a person has been genetically matched.
Why stolen genetic data is such a big deal
Genetic data contains highly personal and sensitive information about a person’s genetic makeup, ancestry, family relations, and health conditions, among other things.
As an article in the journal Nature points out, “Whether for profit, blackmail or simply mischief, DNA thieves can wreak havoc on their victims’ lives.”
Hackers could attempt to sell genetic data back to users for a ransom, threatening to publish sensitive information (ancestry, health status, children born out of wedlock…etc.) widely if payment is not made.
And as one reply to a Verge comments thread half-jokingly suggested, “insurance companies will buy out your info, then refuse to sell you insurance based on your genetics.”
If that prospect sounds ludicrous, in the U.S., only a handful of states have laws that restrict disability and life insurance underwriters from using a person’s genetic information to create policies, although health insurers are barred from the practice.
Emergent class-action lawsuits
The data leaks have spurred a set of class action lawsuits against 23andMe, including five in California, where the company maintains headquarters.
In one case, plaintiffs allege that the company failed to apply “adequate and reasonable cybersecurity procedures and protocols necessary to protect victims’ PII”.
Among other things, the suit also alleges that 23andMe ignored users’ rights, didn’t adequately secure data systems from unauthorized intrusions, and did not monitor its networks, which would have enabled the company to discover the intrusion sooner.
Claims in three of the other lawsuits are very similar in nature. One suit brought claims for negligence, invasion of privacy, breach of contract and breach of implied contract.
If this breach affects you…
23andMe users have been urged to change their passwords and to enable multi-factor authentication on their accounts.
Consumers can also request for 23andMe to delete an account, stop using personal data in new research studies, and destroy the genetic sample originally submitted.
However, during the deletion process, 23andMe informs customers that the company and its partner lab will maintain “genetic information, date-of-birth and sex” after the account is deleted, per state and federal legal requirements.
A company spokesperson has said that the retained data simply isn’t tied to an individuals’ name. Nonetheless, so-called anonymous genetic data can, in some cases, be re-identified.