Security Breach at 23andMe Leaks Genetic and Personal Information for Thousands, Targets Ashkenazi Jews and Chinese
A potential federal class action lawsuit looms on the horizon as the genetics company seeks to identify the root cause of the security breach. This incident serves as a stark reminder to clinical laboratories regarding the paramount importance of safeguarding patient information.
Several years ago, security experts issued warnings that biotechnology and genomics company 23andMe, along with other entities in the genetics industry, would likely become the targets of cyberattacks. Presently, these forecasts appear to have materialized, underscoring the need for vigilance in clinical laboratory settings. In an official blog post dated October 6, 23andMe confirmed that confidential data from thousands of its customers had been compromised and could potentially be available on the dark web.
Wired reported that “At least a million data points from 23andMe accounts appear to have been exposed on BreachForums.” BreachForums is an online platform where users discuss topics related to internet hacking, cyberattacks, and database breaches, among other subjects.
According to Wired, “Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained one million data points exclusively about Ashkenazi Jews,” while noting that “hundreds of thousands of users of Chinese descent” were also affected.
The leaked information encompassed complete names, dates of birth, gender, geographical locations, images, as well as genetic and ancestral data, as reported by Bleeping Computer.
23andMe acknowledges the data breach but maintains that it has not identified any evidence of a security breach within its systems, as reported by Wired.
The Genetics Company’s Perspective on the Data Leak
23andMe has confirmed the authenticity of the leaked data. A spokesperson from 23andMe stated, “Threat actors used exposed credentials from other breaches [of other company’s security] to access 23andMe accounts and steal the sensitive data. Certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” as reported by Bleeping Computer.
However, 23andMe contends that the data leak does not appear to be a result of a security breach within the 23andMe systems. The spokesperson added, “The preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”
The genetics company has determined that compromised accounts belonged to users who had opted to utilize the DNA Relative feature on their website to identify and connect with individuals who share familial relations. Furthermore, Bleeping Computer pointed out that “the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials.”
The Monetization of Private Information
Following the 23andMe data breach, private genetic data swiftly became available online for a price. Bleeping Computer reported that “On October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased.”
Notably, stolen medical records have become more valuable than credit card information, with experts indicating that “Stolen records sell for as much as $1,000 each,” according to credit rating agency Experian, as reported by Bleeping Computer.
In its 2018 Global Security Report, cybersecurity firm Trustwave estimated the black-market value of medical records to be $250 each, in stark contrast to credit card numbers, which sell for approximately $5 each on the dark web. Social Security numbers can be procured for as little as $1 each, as reported by Fierce Healthcare.
The Value of Patient Health Data
Clinical laboratory managers and pathologists should take careful note of the premium placed on patient health data in the dark web compared to credit card information for the same individuals. From this perspective, infiltrating a medical laboratory to pilfer patient health data can prove significantly more lucrative than targeting a retailer’s credit card data.
An Inevitable Federal Lawsuit
Irrespective of the security measures proclaimed by 23andMe, the data breach swiftly triggered a proposed federal class action lawsuit filed on October 9 in the US District Court for the Northern District of California. This lawsuit, “filed by plaintiffs representing all persons who had personal data exposed,” alleges that information belonging to prominent individuals such as Mark Zuckerberg, Elon Musk, and Sergey Brin was among the compromised data, as reported by Bloomberg Law.
The court documents state, “Victims of the breach are now at increased risk of fraud and identity theft, and have suffered damages in the form of invasion of privacy, lost time, and out-of-pocket expenses incurred responding to the breach, diminished value of their personal information, and lost benefit of the bargain with 23andMe.”
The lawsuit brings forth claims of negligence, breach of implied contract, invasion of privacy/intrusion upon seclusion, unjust enrichment, and declaratory judgment, as noted by Bloomberg Law. Furthermore, it alleges that 23andMe “failed to provide prompt and adequate notice of the incident.”
Plaintiffs seek various forms of redress, including actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, as well as pre- and post-judgment interest, according to Bloomberg Law.
Mitigating Future Data Breaches
The unfortunate realization of long-standing concerns by experts in the field about the need for stricter data security in genetics companies like 23andMe highlights the imperative of protecting sensitive genetic information. Brett Callow, a threat analyst at data security firm Emsisoft, emphasized, “This incident really highlights the risks associated with DNA databases,” underscoring concerns that arise when extremely sensitive information is made available in services designed like social networks to encourage sharing.
Clinical laboratory databases contain vast quantities of protected health information (PHI). Therefore, prudent lab managers must take proactive measures to ensure the secure handling of patient data in the face of today’s evolving cyber threats.
