In a significant breach of data privacy, genetic testing company 23andMe has confirmed that personal data of approximately 6.9 million users was compromised. The breach was orchestrated by an anonymous hacker who gained access to user profiles and subsequently posted them for sale online.
The compromised data primarily included users' ancestry information. However, there is a discrepancy among sources regarding the inclusion of health-related information based on genetic profiles in the stolen data. While some reports suggest that such sensitive health data was compromised, others contradict this claim.
The breach was executed by exploiting previously leaked passwords, allowing the hacker to access individual accounts. The stolen data includes family trees, birth years, and geographic locations. The hacker was also able to access profile information about other users' ancestry and downloaded private information from all other users they had links to across the website's family trees.
In addition to the immediate implications of the breach, 23andMe is currently facing multiple class-action lawsuits and inquiries from governmental officials and agencies. The exposure of health information, if confirmed, could raise significant concerns as health protections typically only apply to healthcare providers. Furthermore, the Genetic Information Nondiscrimination Act (GINA) has loopholes that allow life and disability insurers to deny policies based on genetic information.
As of now, there is no evidence that the stolen data has been used by criminals. However, the incident marks the first major breach of a DNA testing company where health information was potentially publicly disclosed, highlighting the vulnerability of sharing DNA with testing companies.