Spit in a tube, mail it off, and discover everything from long-lost relatives to whether you have the genetic predisposition to like coriander. At least that’s what I was sold when I recently purchased a 23andMe DNA testing kit. However, a data breach has exposed the genetic information of millions. How exactly has the ‘the most personal gift you can give’ turned into the genetic fuel of the most significant recent credential stuffing attack?
23andMe is a company offering personalised genotyping reports. They provide their users insight to their genetic code, covering everything from carrier status of Cystic Fibrosis to ice cream flavour preference. Marketed as the perfect gift for the person who has everything, it now seems better suited for someone you think would be the ideal target for cyber-criminals. Of the 6.9 million users affected, an estimated 5.5 million had opted into 23andMe’s ‘DNA Relatives’ feature while a further 1.4 million had their ‘Family Tree’ profile information directly accessed. This data included names, relationship labels, birth years, and location information. The breach occurred over a five month period last year, as confirmed in a data breach notification letter sent to California’s attorney general in January.
DNA, the most personal data to exist, exposes users to a lifetime of potential identity attacks.
Credential stuffing is a cyber attack method in which hackers utilise compromised user credentials in order to gain access to a system. This is how millions of users have found themselves victim to hackers attempting to profit off their genetic makeup, and the data breach couldn’t have come at a worse time. 23andMe is currently facing significant challenges both financially and in regard to its leadership team. Following the resignation of seven individual directors, due to disagreement with the CEO, the company has reported a $69 million net loss in the first quarter of the financial year. It is certainly not the best time for the company to be faced with a $30 million class-action lawsuit. Ongoing investigations in the UK and Canada regarding 23andMe’s data security practices could see this figure increase further.
The primary issue of the breach is that it is irrevocable. DNA, the most personal data to exist, exposes users to a lifetime of potential identity attacks. Whilst there is no adequate compensation for those already impacted by the breach, 23andMe has urged all users to change their passwords and enable two-factor authentication. In the meantime, the company continues to improve their data security measures.
