23andMe has quite the disaster on its hands after a massive data breach sparked dozens of lawsuits from its victims. Meanwhile, the DNA analysis company’s bizarre approach to the situation is to blame the victims themselves.
With interest rising in home genetic testing in recent years, it’s not surprising that for-profit companies have begun capitalizing on it. The concept of 23andMe is quite intriguing—you simply send a DNA saliva sample to the company and can quickly learn things about yourself that you never knew. You might learn more about your origins and ancestry, be able to track down long-lost relatives, and even about how you might be genetically predisposed to certain diseases. Stories have arisen of how 23andMe has helped adoptees reunite with their biological families, exposed family secrets, or even led to breakthroughs in decades-old cold cases.
Still, regardless of how helpful and intriguing it may be, it can’t be ignored that a for-profit company is compiling an enormous DNA database from millions of users. There are concerns about what precisely the company intends to do with all that data and how adept it is at protecting it. Unfortunately, we already have a dismal answer to the latter question. Late last year, hackers managed to access the personal information of millions of 23andMe users, and the company’s response to the breach has been less than reassuring.
23andMe has an unfortunate response to its massive data breach
In December 2023, 23andMe confirmed it had experienced a massive data breach. At first, the company revealed that the breach had impacted 14,000 or 0.1% of users. However, it noted that there might be “others” who were impacted due to the DNA Relatives feature, which automatically shares customers’ data with potential genetic relatives. Later, 23andMe finally admitted that the breach was much bigger than thought. Hackers accessed 14,000 accounts through a technique known as credentials stuffing and, from there, managed to access the information of another several million users who had opted into the DNA Relatives sharing. In total, a staggering 6.9 million users had their personal information accessed by hackers, which is roughly half of all 23andMe users.
It didn’t take long before the company was hit by multiple lawsuits, including a class action lawsuit filed by Alyson Hu. Hu’s lawsuit explains that hackers were able to access “millions of customers’ names, usernames, regional locations, profile pictures and ethnicities.” Meanwhile, it alleged that there was already evidence of this information appearing on the dark web for sale. The suit accuses 23andMe of not taking adequate measures to protect the data, thus resulting in a massive breach.
23andMe responded to the backlash in a letter seen by TechCrunch, in which it allegedly blamed the victims of the breach. The company claimed the victims were at fault because they had recycled and not updated their passwords. Credential stuffing is indeed largely successful only when users utilize the same password across multiple platforms. However, credential stuffing was only used on 14,000 accounts, so what about the victims whose info was stolen from the DNA Relatives feature regardless of their password strength? Meanwhile, if the company was so concerned about password recycling, perhaps it should’ve taken measures to reduce this security weakness with required password updates and two-factor authorization.
What does 23andMe’s security breach mean?
23andMe’s lawyers have also tried to avoid accountability by downplaying the situation and claiming that the stolen information “cannot be used for any harm.” It’s true that the information, since it doesn’t include things like social security numbers, likely can’t be used for identity theft, but that doesn’t mean it can’t be used in other ways.
There’s already evidence that the data was being used to target specific ethnic groups, as hackers were putting the information of users of Jewish Ashkenazi and Chinese descent online for sale. Meanwhile, some people might interested in accessing the health information from 23andMe to blackmail or discredit someone. While there are laws that protect from discrimination based on health, imagine if a political candidate had the fact that they were predisposed to Alzheimer’s used as an attack against them from the opposing party. It’s very possible for someone to be blackmailed or forced to repurchase their DNA from hackers to avoid sensitive health information from being leaked.
Plus, there are countless people, from criminals to insurance companies to marketers to police officers, who are interested in accessing your DNA for their own benefit, whether to plie you with ads and sales pitches or to consider you as a suspect in a cold case. There are probably malicious ways our DNA can be used that we aren’t even aware of yet, as data breaches among DNA testing companies are fairly new territory. This makes 23andMe’s attempts to minimize the seriousness of what happened and save face even more troublesome when the only thing it should be doing is focusing on how to protect and compensate victims.
(featured image: Smith Collection / Gado / Getty)
