Company “23 and me” hacked. DNA information on members and relatives released to web hackers

John Galt

John Galt

Joined
Dec 7, 2021
Messages
336
From a CNN report via. Securities filing so this press release essentially comes direct from the company:

A Friday filing from 23andMe to the Securities and Exchange Commission said that about 0.1% of the company’s user accounts, or roughly 14,000, had their accounts breached by the hackers.

23andMe is standing by that number but is also now (12/5/23) telling reporters that the hackers were able to access some 5.5 million profiles that use a company feature called DNA Relatives that allows users to find genetic relatives. In addition, the hackers accessed a subset of family tree information on 1.4 million DNA Relatives profiles, the 23andMe spokesperson said in an emailed statement.

This reinforces my fear of these DNA testing companies and the data they possess. I know of a family that did this as a Holiday gift, a bit of a lark gift and lo and behold, it came back that one of the four kids was not from the father. And no, it was not an adoption, you can fill in what happened 20+ years ago….
How do you recover from that, both the kid and the family unit?

Has anyone here done DNA testing and had an unexpected finding from the results or perhaps, because of the information in the database, been contacted by someone claiming to be related.

My opinion - this DNA technology has the potential for so much good for diagnosis of medical conditions. It should have been developed. BUT the results should be be treated like medical records and kept secure.
 
John Galt said:
My opinion - this DNA technology has the potential for so much good for diagnosis of medical conditions. It should have been developed. BUT the results should be be treated like medical records and kept secure.
Click to expand...

DNA and genetic testing companies are under HIPAA regulations as well so theoretically they would have the same minimum cyber security requirements.

It looks like the issue was magnified even worse with this:
Because of the way that the DNA Relatives feature matches users with their relatives, by hacking into one individual account, the hackers were able to see the personal data of both the account holder as well as their relatives, which magnified the total number of 23andMe victims.

Who wants to bet it was some employee that clicked on an email attachment that they shouldn't have.
 
Pew said:
DNA and genetic testing companies are under HIPAA regulations as well so theoretically they would have the same minimum cyber security requirements.

It looks like the issue was magnified even worse with this:
Because of the way that the DNA Relatives feature matches users with their relatives, by hacking into one individual account, the hackers were able to see the personal data of both the account holder as well as their relatives, which magnified the total number of 23andMe victims.

Who wants to bet it was some employee that clicked on an email attachment that they shouldn't have.
Click to expand...
This has a surprising amount of similarity to the Cambridge Analytica scandal that happened on facebook. Where Cambridge Analytica was able to steal data from other people's Facebook accounts due to links within the friend system.
 
John Galt said:
From a CNN report via. Securities filing so this press release essentially comes direct from the company:

A Friday filing from 23andMe to the Securities and Exchange Commission said that about 0.1% of the company’s user accounts, or roughly 14,000, had their accounts breached by the hackers.

23andMe is standing by that number but is also now (12/5/23) telling reporters that the hackers were able to access some 5.5 million profiles that use a company feature called DNA Relatives that allows users to find genetic relatives. In addition, the hackers accessed a subset of family tree information on 1.4 million DNA Relatives profiles, the 23andMe spokesperson said in an emailed statement.

This reinforces my fear of these DNA testing companies and the data they possess. I know of a family that did this as a Holiday gift, a bit of a lark gift and lo and behold, it came back that one of the four kids was not from the father. And no, it was not an adoption, you can fill in what happened 20+ years ago….
How do you recover from that, both the kid and the family unit?

Has anyone here done DNA testing and had an unexpected finding from the results or perhaps, because of the information in the database, been contacted by someone claiming to be related.

My opinion - this DNA technology has the potential for so much good for diagnosis of medical conditions. It should have been developed. BUT the results should be be treated like medical records and kept secure.
Click to expand...
Even medical records aren't secure. The most secure network you can find is one which is 100 percent self-contained.
 
BMWTurboDzl said:
Even medical records aren't secure. The most secure network you can find is one which is 100 percent self-contained.
Click to expand...

We had a major security breach at the hospital I worked at… It had to have been massive because my supervisor sat all of us down and talked to us about it.
 
Pew said:
Because of the way that the DNA Relatives feature matches users with their relatives, by hacking into one individual account, the hackers were able to see the personal data of both the account holder as well as their relatives, which magnified the total number of 23andMe victims.
Click to expand...

That personal data is only what a 23andme user can see. That would include ancestry, maybe their location (if they filled it out) maybe the name (some users don't have their full name on there), and maybe some info about their surnames and family tree if they've bothered to fill it out.
 
  • Like
Reactions: Pew
Never understood all this obsession over privacy on medical records. I get that people don't want embarrassing conditions made public, but who cares if some total stranger doing hacking of thousands of records sees you were treated for VD or 'roids. I'd think someone that got your SSN would do more damage.
 
brianl703 said:
That personal data is only what a 23andme user can see. That would include ancestry, maybe their location (if they filled it out) maybe the name (some users don't have their full name on there), and maybe some info about their surnames and family tree if they've bothered to fill it out.
Click to expand...
My sister did this test and told us brothers that she filled in our family tree including our and our kids bio information on her submission.

I was livid! I felt personally violated but kept quiet for family unity. We had within the past 6 months lost our father, stepfather and our mother (to dementia) and a big fight over her 23 and me submission could have done irreparable harm.

That was a few years ago, I have never brought it up to her but without my permission my, through my sister, DNA information is in their database.
 
The keycards at work got compromised a few years ago because one employee couldn't keep his key card in his pants after hours. We all got a day off and shiny new key cards. We were also encouraged to guard our key cards as if we were hiding aliens in the basement - which we are not. They are off-site.
 
John Galt said:
My sister did this test and told us brothers that she filled in our family tree including our and our kids bio information on her submission
Click to expand...

23andme doesn't have a family tree function. The most you can do is link your 23andme profile to another service that does, like Ancestry. Ancestry doesn't show family tree entries for living people. I have an Ancestry family tree and it only has direct ancestors of mine in it; I didn't put cousins, uncles, aunts, etc. in it.

John Galt said:
That was a few years ago, I have never brought it up to her but without my permission my, through my sister, DNA information is in their database.
Click to expand...

Where does it stop? Should a 1st cousin once removed of mine be angry with me that I submitted my DNA to Ancestry or one of the others?
 
John Galt said:
This reinforces my fear of these DNA testing companies and the data they possess. I know of a family that did this as a Holiday gift, a bit of a lark gift and lo and behold, it came back that one of the four kids was not from the father. And no, it was not an adoption, you can fill in what happened 20+ years ago….
How do you recover from that, both the kid and the family unit?
Click to expand...

I haven't heard much about these types of tests in years since the shine wore off.

It's always amazing what the bandwagon riders are always jumping on and lining up to do. This was one that blew my mind a few years ago, the typical, low-information, pop-culture experts were doing this in a rage.

Then the data comes back, ooops, one kid don't match. Or "honey, someone is knocking on the door"....
 
brianl703 said:
23andme doesn't have a family tree function. The most you can do is link your 23andme profile to another service that does, like Ancestry. Ancestry doesn't show family tree entries for living people. I have an Ancestry family tree and it only has direct ancestors of mine in it; I didn't put cousins, uncles, aunts, etc. in it.



Where does it stop? Should a 1st cousin once removed of mine be angry with me that I submitted my DNA to Ancestry or one of the others?
Click to expand...
Brian, I might be conflating the Ancestry site along with the 23 and me. She (my sister) applied/submitted whatever is appropriate to both sites and the same time. She was hopeful to find distant relatives that we did not know. My dad’s extended family tree was pretty much unknown to us and he was from a big family. My moms family tree was fairly well known. She wanted to know more.

She was just oblivious to the dark side potential of her action - watched too many Hallmark holiday movies I think.
 
atikovi said:
Never understood all this obsession over privacy on medical records. I get that people don't want embarrassing conditions made public, but who cares if some total stranger doing hacking of thousands of records sees you were treated for VD or 'roids. I'd think someone that got your SSN would do more damage.
Click to expand...
This is very true.
John Galt said:
Brian, I might be conflating the Ancestry site along with the 23 and me. She (my sister) applied/submitted whatever is appropriate to both sites and the same time. She was hopeful to find distant relatives that we did not know. My dad’s extended family tree was pretty much unknown to us and he was from a big family. My moms family tree was fairly well known. She wanted to know more.

She was just oblivious to the dark side potential of her action - watched too many Hallmark holiday movies I think.
Click to expand...
And what would that be? I had a relative I didn't know that was in my tree contact me. Wasn't a big deal. Of course maybe if you are related to Ted Bundy or Charles Manson or something.......

So what did she found out that was "dark" or "bad"? You opened the door-let's walk through it.
 
Last edited:
You must log in or register to reply here.

Similar threads

supton
AT&T Hacked?
2 3
Replies
41
Views
1K
2009Caraman
OVERKILL
Tapo (TP-Link) Smart Bulbs and apps can be hacked to compromise your home network
Replies
14
Views
513
OVERKILL
Brons2
School me on foreign property ownership, from a USA perspective
Replies
13
Views
878
cptbarkey
M
New Member, Power System Operator, AMA
2
Replies
34
Views
1K
MVAR
OVERKILL
Ivanti VPN appliance breach hits critical mass
Replies
5
Views
607
PandaBear
Back
Top