This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 1 minute read

If It Can Connect to the Internet...It Can Be Hacked

Genetic testing service 23andMe has revealed the unauthorized access of nearly 1 million user's genetic testing information in a hack that seems to have been allowed by lax internal password security. It's one thing to get a new credit card after a breach; much another to try and change your genetic code.

Services like 23andMe have raised huge privacy concerns for years. In 2017, the New York Times' Wirecutter product recommendation service hired me to review the online privacy policies of some of the more popular online genetic testing services, including 23andMe, AncestryDNA, and FamilyTreeDNA. You can still see parts of my assessment on Wirecutter's current evaluation of these services.

This breach underscores the importance of and need for security measures in line with the sensitivity of the information a business is collecting. It's hard to imagine a more sensitive data set than genetic code information, and yet this incident appears to have been caused by simple poor password management. 

We tell clients all the time: your biggest security threat are your people. It's critical that organizations educate and train their personnel to be that first line of defense against cyberattacks, especially for companies trading in sensitive information. Compliance with laws and policy is not enough. Companies must work with their people to get buy-in to help protect the company against bad practices that can lead to bad results like this. 

It's difficult, yes, but much can be done to put businesses in a better place than they stand today to fight off cybersecurity attacks like this.

A database that has been shared on dark web forums and viewed by NBC News has a list of 999,999 people who allegedly have used the service. It includes their first and last name, sex, and 23andMe’s evaluation of where their ancestors came from. The company is still investigating the incident, but is treating the leak as authentic. In an emailed statement, a 23andMe spokesperson said the company believes it wasn’t hacked per se. Instead, it believes that the hackers simply gained some users’ passwords that had been hacked and leaked from other sites, then exploited the fact that 23andMe can give users vast access to each others’ genetic information.

Tags

privacy, data privacy, cybersecurity, data breach