23andMe Confirms Hackers Stole Ancestry Data on 6.9 Million Users

An anonymous reader shares a report: On Friday, genetic testing company 23andMe announced that hackers accessed the personal data of 0.1% of customers, or about 14,000 individuals. The company also said that by accessing those accounts, hackers were also able to access "a significant number of files containing profile information about other users' ancestry." But 23andMe would not say how many "other users" were impacted by the breach that the company initially disclosed in early October. As it turns out, there were a lot of "other users" who were victims of this data breach: 6.9 million affected individuals in total.

In an email sent to TechCrunch late on Saturday, 23andMe spokesperson Katie Watson confirmed that hackers accessed the personal information of about 5.5 million people who opted-in to 23andMe's DNA Relatives feature, which allows customers to automatically share some of their data with others. The stolen data included the person's name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location.

what a shock

[bugs2squash]

This must surprise nobody, why anyone gives up this information voluntarily is beyond me

Re:what a shock

[NomDeAlias]

Trade value proposition

Re:what a shock

[jd]

I consider my life to be more valuable than a genetic marker. So the health information being used by researchers is of immense value to me. However, it has next to no resale value for anyone else.

The contact information is long out of date, which makes it very difficult to exploit. Sure they can give my information to American insurance companies illicitly. But I'm not in America any more, so what do I care?

There's also very little they can do with it. 23&Me collects around 0.2% of the interesting health markers and their site contains no information on the probability of a marker being relevant. If you do look the information up on, say SNPedia, you discover that most of the markers have a significance of around 10^-8. Which isn't much. It's completely useless for detecting likelihoods of someone having a condition.

No, they went after an easy, well-known, mark with a vast amount of low value data, which shows they're not very skilled and probably don't know any buyers.

Now, if they'd gone after one of the whole genome sequencing companies, it would be a very different story. The data there is much richer. You have fewer people, but far more genetic context. THAT would have been far more terrifying, because that would be more than enough data to seriously impact people in society. It would also be far more valuable to drugs companies.

Re:

[AmiMoJo]

The value of your genetic data to other people depends somewhat on your ethnicity and where you live.

There is what amounts to a race war going on in Gaza right now, for example.

Re:

[dsgrntlxmply]

Local news paraphrased a report from Wired, that someone is offering what is claimed to be information on Ashkenazi Jews from this theft. I am on 23andMe, and despite lack of any supporting family story, my results show a fraction of this ancestry. Alongside this is a small fraction that was first reported as one region of Asian, but moved on later analysis to another part of Asia. The markers are personally interesting but are neither definitive nor stable.

Re: what a shock

[La Camiseta]

In a shocking coincidence, I got an email from them this morning that they were updating their terms of service specifically related to dispute resolution and arbitration.

Re:

[TwistedGreen]

Well, let's be honest, the only people that a class action lawsuit really benefits is the lawyers...

Re:

[arglebargle_xiv]

Some people who are susceptible to particular genetic issues may want to check whether they've got something to worry about or not.

However, there's nothing to say you have to provide the DNA company with anything other than your DNA sample. I hope the hackers are able to use the genetic data they've stolen for Elwood Blues, 1080 West Addison, Chicago, Illinois, who paid for the test kit with cash.

Expect (another) Illinois lawsuit

[omnichad]

Illinois has one of the toughest biometric privacy laws in the country, surprisingly. There is already a lawsuit pending regarding sharing data with 3rd parties intentionally without consent.

When Facebook violated this new law, it was a $400 check for every Facebook user in the state.

Re:

[nightflameauto]

When Facebook violated this new law, it was a $400 check for every Facebook user in the state.

Did anyone actually receive a check? Or did you all get nice form letters telling you to send a SASE to such and such an address to collect your remaining thirty-five cents once the lawyers were done divvying it up?

Re:Expect (another) Illinois lawsuit

[omnichad]

Technically I got a $397 check last year and then there was still money left, so there was a second round payment of $30.61 early this year and a third round payment of $7.20 last month.

Re:

[nightflameauto]

Technically I got a $397 check last year and then there was still money left, so there was a second round payment of $30.61 early this year and a third round payment of $7.20 last month.

Holy shit! I'm seriously impressed. The last time I got a notice I had a thousand waiting from some action taken by the state, I sent my envelope and literally got a check back for so little it wasn't worth taking to the bank. Congrats.

Re:

[MIPSPro]

I've received a few sub-$20 checks for settlements like that. It's pathetic. Now, watch the "hackers" accidentally or purposefully release the data and it gets sucked up by every insurer in the country and used to check folks out beforehand (illegally but they won't care or get caught and if they do they'll pay a small fine). The insurers will say "Well, it's public domain information now, we simply used it."

Oh, dear.

[Black Parrot]

I hope they don't out me as a Neandertal.

Re:

[Tony Isaac]

Lucky for you, pretty much everyone is about 3-5% Neandertal.

But HOW did the hackers get this date?

[gavron]

HOW did the hackers get this data?
What measures did 23andme deploy to prevent future attacks?
Will they be offering something useless like LIfeLock or doing anyting useful?

Those are real questions. This being slashdot, no information being forthcoming is the norm.

Good questions, but not Slashdot's fault

[Excelcia]

HOW did the hackers get this data?

Great question. A better question is how they were allowed to have this data on net-facing machines to begin with. And how many top level people in government are getting quiet letters saying "We know about your love child, we want a favour or else this gets reported"?

The answer is we'll never know because laws don't compel them to disclose, and they never do.

What measures did 23andme deploy to prevent future attacks? ... Those are real questions. This being slashdot, no information being forthcoming is the norm.

Again, they don't disclose this. Don't blame Slashdot. If you think you can compel them to answer you, then you dig it up and you reveal it so the

Re:

[jd]

23&Me data simply isn't detailed enough to reliably do much with. Honestly, I doubt any of it has serious blackmail potential, and the personal information - at least in America - is available for a few dollars from personal data scrapers. And there's dozens of those.

In fact, my suspicion is that hackers are far more interested in the personal data scraping sites, as those will link a person to criminal convictions, past addresses, social media IDs, phone numbers, and other readily exploitable data.

Re:

[bugs2squash]

I don't know how 23&me works - do they send you a swap in the mail and you return it ? Maybe they don't tell you all they parse out of it. Maybe they hold onto information, eg. to sell you a "premium upgrade" later.

Re:

[jd]

They don't sell any upgrades. They use a chip to genotype people, so they don't actually sequence people and they're physically limited to the SNPs that the chip identifies.

To make things worse, they only run the sample three times. To give some idea, FamilyTreeDNA runs their samples around seven times, and medical-grade testing requires running the sample 100 times or more. This sacrifices accuracy for speed. They're a LOT faster than, say, Nebula Genomics, but the error rate is high.

Re:

[sizzlinkitty]

23&Me data simply isn't detailed enough to reliably do much with. Honestly, I doubt any of it has serious blackmail potential, and the personal information - at least in America - is available for a few dollars from personal data scrapers.

It's useful for painting a full picture of someone's family and possible exploitation targets that can't be figured out from facebook. I had some Russians call my mom's half sister (my half aunt) and try to get information about me, from her, under the premise that I've been arrested. The weird part is my half aunt didn't even share my mom's maiden name and was always a distant family member we only saw once every 3-4 years. I have no idea how they made the link that she was my half aunt and this was back i

Re:

[smooth wombat]

HOW did the hackers get this data?
What measures did 23andme deploy to prevent future attacks?

Apparently this resulted because there is a shortage of Information Security workers [slashdot.org] so who knows what mitigation steps have been taken.

Until there are financial consequences

[misnohmer]

For-profit corporations are driven by money by their very definition. There is nothing inherently wrong with that, as it spawns a lot of innovation (need being the mother of invention). However, there needs to be a strong need to secure private data. Until there are monetary damages required to be paid out by law to victims, not much will be done to curb these incidents. Executives, managers, developers, users are always going to choose the path of least resistance to get to a particular goal. If there are

Oh great...

[Petersko]

Now hackers know how incredibly, uniformly white I am. Fucks with my credibility as a blues guitar player.

Re:

[sysrammer]

Tilt your fedora forward and perhaps nobody will notice.

Nobody will care

[Opportunist]

People using this already handed their DNA to some corporation that basically said they'll do with it whatever they want. They don't give a fuck about their privacy.

Re:

[jd]

23&Me is bound by national laws, so Europeans who have their data stored are protected by the European data protection laws. So, no, they can't do whatever they like. They tried that before and the FDA sued them close to oblivion.

Even in America, it is illegal for insurance companies to touch that data and in America, lawsuits are easy and bad publicity is very expensive. If an insurance company was even suspected of handling stolen genetic data, it would face a class action suit. Which wouldn't be the

Re:

[bugs2squash]

What about the LDS church ?

Re:

[geekmux]

Even in America, it is illegal for insurance companies to touch that data...

....directly. It's illegal for them to touch that data directly.

Indirectly through a 3rd party, is likely dismissed. You know, kind of like how Government outsources censorship to social media parties. That way, they cannot be accused directly of violating the 1st Amendment.

Re:

[jd]

Except the government doesn't outsource censorship to social media. Social media companies enforce their own terms of service in line with the politics of those in charge of the company, but the government is simply not involved.

I thought about using them

[Hoi Polloi]

I was curious to see my results then I came to my senses and realized I'd be giving them some extremely private info that they'd hold onto. It is bad enough it is a permanent repository than can be subpoenaed never mind stolen.

Re:

[jd]

There's some truth to that. It is a risk assessment you have to make. When the data is on 23&Me servers, it can be stolen. But who will buy the data? Insurance companies will be tempted, but if they're even suspected, they'll be liable for far more than the data is worth and that's not including the number who will shift insurance companies because of the bad publicity and illegal practices.

You've also got to consider data value. 23&Me collects around 0.1% of the markers of significance, and the mar

Re:

[sizzlinkitty]

You could have registered it to any name you wanted, just setup a dedicated email address on protonmail.

Nearly half of all of their customers

[chx496]

Just to add some perspective to the numbers here: if 14000 is 0.1%, then 100% is 14 million, so 6.9 million is slightly less than 50% of all customers. They've also shown no real transparency in this entire ordeal, so who knows if these latest numbers are even accurate.

I've yet to see a proper post-mortem of the entire incident, and it's been a long time since reporting on this issue first started. And the way 23andMe has tried to obfuscate the entire thing tells me that they're definitely not a company I'd

Re:

[jvkjvk]

>And the way 23andMe has tried to obfuscate the entire thing tells me that they're definitely not a company I'd ever want to be a customer of.

I hate to break this to you, but I think you probably don't want to be a customer of nearly any company then.

Please Click This Link

[organgtool]

Please click this link to reset your DNA.

Mandatory password reset, and two-factor Auth.

[jasonw61]

That's the solution, going forward. Right from the article, no lie.

Brute Force using stolen passwords, and this elite group of hackers, steals enough accounts, to enable them, to scrape the data, for half the people that use the website?

For real?