Genetic testing service 23andMe has revealed the unauthorized access of nearly 1 million user's genetic testing information in a hack that seems to have been allowed by lax internal password security. It's one thing to get a new credit card after a breach; much another to try and change your genetic code.
Services like 23andMe have raised huge privacy concerns for years. In 2017, the New York Times' Wirecutter product recommendation service hired me to review the online privacy policies of some of the more popular online genetic testing services, including 23andMe, AncestryDNA, and FamilyTreeDNA. You can still see parts of my assessment on Wirecutter's current evaluation of these services.
This breach underscores the importance of and need for security measures in line with the sensitivity of the information a business is collecting. It's hard to imagine a more sensitive data set than genetic code information, and yet this incident appears to have been caused by simple poor password management.
We tell clients all the time: your biggest security threat are your people. It's critical that organizations educate and train their personnel to be that first line of defense against cyberattacks, especially for companies trading in sensitive information. Compliance with laws and policy is not enough. Companies must work with their people to get buy-in to help protect the company against bad practices that can lead to bad results like this.
It's difficult, yes, but much can be done to put businesses in a better place than they stand today to fight off cybersecurity attacks like this.