Diane here, COO and the least technical member of our group! I’ll occasionally take control of our blog to give y’all a break from hearing from Kyle. My posts will focus more on things happening in mainstream media or whatever I find interesting, relevant, or scandalous. Enjoy! 🖤
Hi readers! I’m back and this week we are going to talk about another alarming data leak. While all data leaks are concerning because personally identifiable information (otherwise known as PII; think email address, name, address, credit card information, etc.) is made available to bad actors, there are some data leaks that expose, what I believe, to be even more sensitive information…and this is what happened in 2023.
Unless you have been living under a rock, you’ve probably heard about companies where with a simple cheek swab you can send them your DNA and find out your ancestry or find out more about your health through your genetics. Heck, you can even do DNA testing for your dog (we don’t need a DNA test to know our Chief Barking Officer is 90% queen and 10% cookie monster). I can totally understand the allure of tracing your ancestry and of learning more about your genetics to help inform your medical care, but I would also caution y’all to do your due diligence prior to giving companies your literal DNA because as we have learned from previous data leaks, no data is truly 100% secure.
Let’s take a look at what happened to 23andMe…
In late 2023, a hacker stole the data of 6.9 million users of 23andMe, about half of the company’s total users. The investigation revealed the hacker was able to [brute-force](https://www.fortinet.com/resources/cyberglossary/brute-force-attack#:~:text=A brute force attack is,and organizations‘%20systems%20and%20networks.) users’ passwords (basically using trial and error) by using passwords available online from other data leaks (#donotreusepasswords). 23andMe reported to TechCrunch, the data leaked was from users who opted-in to the company’s DNA Relatives feature and included the “person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location” as well as uploaded photos. Other data was access using the Family Tree feature.
The hacker, who goes by Golem (probably ripped from Gollum of “Lord of the Rings”), posted on an online forum used by cybercriminals the Personally Identifiable Information of more than 1 million users with Jewish ancestry. The data included their full names, home addresses, and birth dates. According to The New York Times, after a request was made by forum poster, Golem leaked the profile information of 100,000 Chinese customers.
23andMe subsequently notified their users, required them to change their passwords, and required new customers to setup two-step verification when creating accounts. There is also currently a lawsuit making it’s way through the court systems. The class action lawsuit accuses 23andMe of “failing to protect the privacy of customers whose personal information was exposed last year in a data breach that affected nearly seven million profiles” and “failing to notify customers with Chinese and Ashkenazi Jewish heritage that they appeared to have been specifically targeted, or that their personal genetic information had been compiled into ‘specially curated lists’ that were shared and sold on the dark web”.
According to the National Institutes of Health (NIH), there are little regulations or oversight for direct-to-consumer genetic testing companies, unlike the companies that work directly with health care professionals. This lack of oversight and regulations includes what they can and can’t do with your data and how they can (or don’t) protect your data. Most of these companies have detailed information on their practices which can help you answer the following questions which are outlined by the NIH as being helpful to “assess a company’s privacy practices”…
- What does the company do with your sample once it has completed the analysis? Will the sample be stored, shared, sold, or destroyed?
- Once you take the test, who owns your genetic data?
- How does the company safeguard your genetic data and other personal information that you provide? Is it stored in a database that is protected from unauthorized access? What happens if the database is hacked or otherwise compromised?
- Can you delete your results from the company’s database if you wish?
- Does the company use your information for internal research, advertising, or other secondary purposes?
- Will the company share your genetic data or sell it to pharmaceutical or biotechnology companies, academic institutions, or nonprofit organizations? If so, will the shared data include other information that could identify you (such as your name or date of birth)? For what purposes will your data be used? Will you be informed when your data are shared or sold?
- If you do not want your genetic data shared, sold, or used for research, can you opt out? What happens if you agree to share your information but want to opt out later?
- Will you be notified in the future if the company changes its privacy policies?
- What would happen to your sample and your genetic information if the company is sold or goes out of business?
So if you, like Lizzo, want to take a DNA test to find out you’re 100% that b*tch, make sure to read the privacy policy and any other policy available thoroughly, visit the FAQ page, send your questions to the company, and make sure to use a strong password.
And if the thought of cybercriminals having your data and your DNA (or really anyone other than the intended) makes your skin crawl, or if you have begun to think about just how much of your data is out there and are getting the ick, you have found yourself in the right place! Here at AbsolutelyNothing, we believe digital citizens, such as yourself, should have control over their data and the first step is to become more aware and education about data privacy and privacy policies. Our team is so very close to releasing our first products which are going to help you pinpoint what kind of data companies are collecting and make sense of the legalese in privacy policies, terms, and agreements. If you are excited about what we are doing at AbsolutelyNothing, go ahead and let us know – we are a small and scrappy team so every dollar counts.
Until next time digital citizens,
Diane