April 13, 2024

Hackers obtained data on nearly 7 million people from 23andMe. The company blamed users for a ‘very stupid’ attitude | Hacking

TThree years ago, a man in Florida named JL decided, on a whim, to send a tube of his saliva to the genetic testing site 23andMe in exchange for an ancestry report. JL, like millions of other 23andMe participants before him, says he was frequently asked about his ethnicity and longed for deeper insight into his identity. He said he was surprised by the diversity of his test results, which showed he had some Ashkenazi Jewish heritage.

JL said he didn’t think much about the results until he learned of a major breach at the company that exposed the data of nearly 7 million people, about half of the company’s customers. Worse, he later learned of a hacker using the pseudonym “Golem” who offered to sell the names, addresses and genetic heritage allegedly belonging to 1 million 23andMe customers with similar Ashkenazi Jewish heritage on an obscure dark web forum. Suddenly, JL feared that his own irreverent decision to catalog his genes could put him and his family at risk.

“I didn’t know my family would potentially be a target,” he said. “I may have put my family and myself in danger for something I did more out of curiosity than anything.”

JL, who asked to be identified only by his initials due to ongoing privacy concerns, is one of two plaintiffs listed in a recent class action lawsuit filed in California against 23andMe. The plaintiffs claim the company failed to adequately notify users of Jewish and Chinese heritage after they were allegedly attacked. The lawsuit alleges that hackers placed these users on “specially curated lists” that could have been sold to individuals seeking to cause harm.

23andMe has since confirmed that hackers gained access to 14,000 user accounts over a five-month period last year, some of which revealed detailed and confidential reports on users’ health. The company revealed details about the exact types of data stolen in its months-long breach in a January data breach notification letter sent to the California attorney general early last month. Hackers accessed users’ “uninterrupted raw genotypic data” and other highly sensitive information, such as health predisposition reports and carrier status reports obtained from processing a user’s genetic information. Even worse, 23andMe confirmed that thieves also accessed other personal information from up to 5.5 million people who opted in to a feature that allows them to find and connect with genetic relatives.

23andMe only publicly acknowledged the hackers’ attacks after a user posted about the data for sale on a 23andMe subreddit in early October. An investigation delving deeper into the incident revealed that hackers had been trying, sometimes successfully, to gain access since at least April 2023. The attacks continued for nearly five months, until the end of September. In an email sent to the Guardian, a 23andMe spokesperson said the company did not “detect a breach” in 23andMe systems and instead attributed the incident to compromised recycled login credentials of certain users.

A much larger subsection of users has had other, potentially less sensitive data exposed through 23andMe’s optional DNA Relatives feature, which automatically allows the company to share data among other users on the platform with whom they may be related. In other words, hackers who gained access to a user’s account through compromised passwords were also able to extract data about potential relatives. The optional feature provides users with information on a variety of data points, including the name of their relatives, their predicted relationship, and the percentage of DNA shared with matches. It may also include an individual ancestry report, matching DNA segments, and uploaded photos.

Eli Wade-Scott, one of the lawyers representing JL in the class action, said these supposedly specific ethnic groups could constitute a “hit list.” Jay Edelson, another attorney representing these users, worried that these lists of users could appear attractive to terrorists seeking to identify people of Jewish heritage. He also said that Chinese intelligence agencies, which have a history of surveilling and intimidating dissidents abroad, could use the data to target people who criticize the government or even nation states.

“This is a total paradigm shift when it comes to the implications of a data breach,” Edelson added.

Months after learning about the beach, 23andMe sent a letter to several customers taking legal action against the company. The company defended itself by saying that the breach could not lead to real-world problems: “The information that was potentially accessed cannot be used for any harm.” It also blamed the hack on users who “negligently recycled and failed to update their passwords.” Cybersecurity professionals refer to the weaponization of these repeated digital keys as “credential stuffing” attacks.

“Therefore,” 23andMe concluded, “the incident was not the result of 23andMe’s alleged failure to maintain reasonable security measures.”

But several lawyers and genetic privacy experts say the company should have foreseen such an attack and done much more to protect this intimate and highly confidential data. “You shouldn’t be able to do an attack like this over the course of months and not have anyone at 23andMe warn you,” Wade-Scott said.

Barbara Prainsack, a professor of comparative politics at the University of Vienna, was herself a 23andMe customer. She said the company had plenty of time to protect itself and establish data breach protocols. 23andMe, she said, appeared to have done neither: “This is almost a classic case of how things shouldn’t be done.”

She added that blaming consumers for their relatively minor security lapses is “morally and politically very stupid.”

23andMe users suing the company for negligence seem to agree. They say they would never have purchased the company’s kits if they had known how lax their security was. Since the breach, more than two dozen 23andMe users have filed individual and class-action lawsuits accusing the company of negligence and invasion of privacy. The specifics of each of the lawsuits vary, but each argues that the company failed to “implement and maintain adequate security measures.”

“23andMe lied to customers about how it would protect their data, failed to reasonably protect their data according to industry standards, lied about the scope and severity of the breach, failed to notify its Jewish and Chinese customers that they were targeted specific, and in the end, exposed them to a series of threats and dangers that they would never have imagined,” says JL’s lawsuit.

The slow-moving data breach scandal adds insult to injury for a company that has fallen precipitously from the highest echelons of Silicon Valley exceptionalism in recent years. The company went public in 2021 with a value of US$3.5 billion; it is now worth about $300 million, a 91% decline. 23andMe has never made a profit in its 18-year history. It could run out of money by 2025. In just a few years, the company that once seemed destined to become the “Google of saliva” is struggling to stay on the Nasdaq despite co-founder and CEO Anne Wojcicki’s repeated attempts to calm investor concerns .

Experts said the downstream consequences of hackers accessing breached genetic data remain largely hypothetical. Still, they alerted a bad actor armed with this type of information and enough motivation who could potentially use it to identify an individual or blackmail them, threatening to reveal even more sensitive information. The possible combination of data collected in the 23andMe breach with other personal information could result in sophisticated identity fraud.

Murat Kantarcioglu, a professor of computer science at the University of Texas at Dallas, said he could imagine a scenario in which an attacker armed with data linking an individual to a previously unknown relative could blackmail them by threatening to make that connection public. Other data that reveals a user’s family history with mental health issues, Kantarcioglu said, could be misused by an employer to ignore someone seeking employment or promotion.

At the time of writing, 23andMe requires two-factor authentication by default for all of its users. This additional layer of security, which critics had demanded for years, was only enabled by default after the breach. 23andMe says it also required all of its customers to reset their passwords following the incident.

Confusing matters further, legal experts believe 23andMe recently made subtle changes to its terms of service, making it more difficult for victims to band together to pursue mass arbitration lawsuits, TechCrunch reported. These changes came just two days before 23andMe officially disclosed the data breach. 23andMe denies allegations that it changed its terms of service to deter lawsuits and instead said it made the changes to speed up dispute resolution.

“Customers continue to have the right to seek public injunctive relief,” a 23andMe spokesperson said in an email.

“In the middle of the night, they [23andMe] they changed their terms to game the system and make it basically impossible to bring in any kind of large volume of arbitration,” Edelson said. Cohen Milstead partner Doug McNamara described the maneuver as a “desperate attempt to dissuade and dissuade from prosecuting [23andMe]”In a December interview with TechCrunch.

Nearly a year has passed since hackers first tried to gain access to 23andMe users’ accounts, but the company’s legal and regulatory concerns are likely just beginning. In addition to metastatic lawsuits, lawmakers are getting involved. In January, New Jersey Democratic Representative Josh Gottheimer wrote a letter to FBI Director Christopher Wray urging the agency to launch an investigation into the company to determine whether or not the exposed data could be used to target communities Jewish. This came on the heels of a letter sent to 23andMe by Arizona Attorney General Kris Mayes seeking additional data on the company’s security protocols.

Experts fear that the ripple effects of the 23andMe breach could extend beyond the company itself. Prainsack worries that anxiety over the breach could make people less likely to share personal health data, not just with 23andMe but also with more traditional doctors. This lack of trust can make it more difficult to treat patients appropriately.

Kantarcioglu of UT Dallas said this would likely not be the last data breach of its kind to affect genetic testing companies. “There are extremist groups calling for the death of Jews all over the world, so it’s difficult to see how the risks could be higher,” said Edelson, JL’s lawyer. “The way information is bought and sold is a kind of Defcon One in the world of privacy.”

Leave a Reply

Your email address will not be published. Required fields are marked *