Skip to content

6.9 million users affected by the 23andMe data breach 


Published:

Genetic information may be used more and more widely in the future and must be handled with due care and classified under special category personal data due to its sensitivity. 23andMe, a US genetic testing services company, announced on December 5 2023, that about 6.9 million people had been affected by a data breach that occurred in October. Attempts were made to sell some of the stolen data via a well-known hacker forum.

Figure 1. 23andMe Blog Post Reporting Data Leakage

Genetic testing for identifying risk of disease and ancestry

23andMe is a company that provides genetic testing services. Founded in San Francisco in 2006, the company derives its name from the 23 pairs of chromosomes in human DNA, 14 million people have used the service. Customers purchase a test kit costing between $100 and $300, dependent on the type of testing and send saliva samples to the company to understand the likelihood of a genetic risk of disease such as diabetes or asthma, as well as understanding their ancestry. Its signature membership service is called DNA Relatives which allows members with close DNA to share information with each other, such as name, DNA match percentages, location, profile picture and genealogy data if desired.

Attempts to sell sensitive data on hacker forum

On October 2, 2023, one million records were posted on a major hacker forum, the scope subsequently increased with additional data posted and the attacker attempting to sell data profiles.

increase the probability that a victim organization will pay a ransom, operators are emulating typical business models and leveraging legitimate services to communicate, market and enhance its ‘brand’ strength.

Figure 2. 23andMe data leaked on hacking forum

23andMe response to the breach

On October 6, 23andMe announced on its official blog that information had been stolen through a credential-stuffing attack. Credential-stuffing is a cyberattack where criminals use stolen login credentials from one system to attempt to access an unrelated system (via automated injection), working on the premise that people often use the same user ID and password across multiple accounts. The credentials used in the attack were exposed from other data breaches, and attackers were successful due to 23andMe customers using the same credentials elsewhere. After the breach, 23andMe asked all users to reset their passwords and additionally implemented 2-Factor authentication (2FA).

Attackers were able to access other users’ information using the “DNA Relatives” feature

In a December filing with the Securities and Exchange Commission reporting the security incident, the company said 0.1 percent of its 14 million users (14,000) data was compromised. However, the company also stated that attackers were able to access other users’ information using the “DNA Relatives” feature. In other words, by customers opting into the “DNA Relatives” feature, attackers were able to access additional user data about other user’s ancestry that users chose to share.

On December 5, the company posted an official blog post stating that data of about 6.9 million people had been stolen. Several lawsuits have been filed against 23andMe for failing to notify customers and taking adequate security measures that would help monitor for abnormal activity and take action to stop the intrusion much sooner.

Guidelines from Public Agencies

In Japan, the Ministry of Economy, Trade and Industry has formulated “Guidelines for the Protection of Personal Information in Business Areas Using Personal Genetic Information” as guidelines for information security in services using genetic information. The guidelines mandate that safety management measures be taken, stating, “With regard to the handling of personal genetic information, organizational, human, physical, and technical measures shall be taken to prevent the leakage, loss, or damage of information and for other safety management of information.”

In the United States, the National Institute of Standards and Technology released a report titled (Cybersecurity of Genomic Data.) on December 10, 2023. The report raised questions about the current state of genetic security, saying that there are specific concerns about genetic information compared to other types of data, but current policies and management practices cannot adequately address them. In the near future, NIST is developing a framework that will allow companies handling genetic information to take security measures.

Summary

23andMe made vital changes in the defense of credential stuffing through mandating use of multi-factor authentication. We can only assume 23andMe have bolstered security via other methods such as implementing technology/services in the detection of abnormal traffic and limiting authentication requests. Organizations in general should enforce security best practices for their own customer benefit but more is needed to raise awareness to individuals, following password length and complexity practices, using multi-factor authentication and a careful approach to sharing or providing any personal information on the internet.

Genetic information may be used more and more widely in the future, therefore it must be handled with due care and classified under special category personal data due to its sensitivity. For example, if information about genetic disease risks is leaked, victims could potentially suffer serious disadvantages in insurance contracts and job searches. In addition, the information could be leaked not only to individual users, but also to people with close genetic relatives, thereby violating the privacy of family members, relatives, and future offspring.

While it is important for the government to develop guidelines and frameworks, their value is diminished if not adopted by service providers. Hopefully, governments and companies will work together to create an environment that maximizes the benefits of genetic information while ensuring both privacy and convenience.

About Cyber Security Insights

This blog post is part of our The Cyber Security Insights, that are released several times every month, providing invaluable insights into the evolving threat landscape. Crafted by NTT Security Japan Inc. Consulting Services
Department’s OSINT Monitoring Team and NTT Security Sweden’s Incident Response Team, our content includes expert analysis on recent breaches, vulnerabilities, and cyber events. Stay ahead of the curve with our timely updates and actionable intelligence, ensuring your digital assets remain secure in an ever-changing environment.

Read precious Cyber Security Insights here.

Sources:

Want to know more about how we can help you with your cybersecurity?

Book a meeting with NTT Security experts to learn more about our advisory services and penetration testing. We help you protect sensitive data while ensuring privacy and convenience.