We all know someone who’s done it. Swiped a swab around their mouth and packaged it up in an envelope to send to a DNA-testing company that promises to offer exciting insights into their ancestry – giving them a biological connection with their past. 

But everything comes at a cost. And when you’re sharing your precious biological data with a private company, the cost is more than the $200 you spend on the test. Cybersecurity experts have been urging caution about this for years now; and ongoing issues with popular genetic testing company 23andMe are highlighting why that caution is really important. 

A quick look at the data breach so far

In October 2023, 23andMe reported a data breach. Over the following weeks more details have gradually emerged, with the firm releasing information about the type of breach (credential stuffing) and the affected data. Initially, it was estimated that around 14,000 users of the company’s opt-in social sharing platform, DNA Relatives, had been affected.

But at the beginning of December the company told TechCrunch that the attackers had been able to gather personal data from approximately 5.5 million users who had directly opted in to DNA Relatives, along with an additional 1.4 million users whose ‘Family Tree profile information’ had been accessed.

According to information provided to Wired, breached data included: 

• Display names
• Most recent login
• Relationship labels
• Predicted relationships
• Percentage of DNA shared with relatives matches
• Ancestry reports
• Specific details about chromosome matches between relatives
• Self-reported locations and ancestor birth locations
• Family names, birth years, and more

The breach highlights just how much highly sensitive personal data can be exposed when a DNA testing firm becomes the target of a hack. And it leads to the question: 

What could threat actors do with stolen genetic testing data?

Stolen genetic data can be sold to malicious actors for a range of different purposes, including:

• Blackmail. Private health information can be used to expose family secrets and damage reputations – making it a valuable illegal commodity for criminal blackmail use.
• Identity theft and impersonation. Personal data of all kinds can enable threat actors to impersonate individuals – and the more sensitive the data, the more convincing a stolen identity can be. In some cases, stolen genetic data could be used to bypass or manipulate biometric systems like fingerprints or facial recognition, which has serious implications.
• Biological weapon development. DNA can be purchased by criminals for use in gene editing, which could enable the development of dangerous bacteria and virus strains.

Genetic data is sensitive data

The bottom line is that genetic data is sensitive information, and its capture, storage, and protection should be taken seriously. Users of DNA testing services should be cautious, and make sure they understand the security policy they’re agreeing to before they share their information.

And those security policies really are key – both at the level of the company, and at the level of the regulatory framework that company is working within.

As Brett Callow (Threat Analyst at Emisoft) told Wired,

“I firmly believe that cyber-insecurity is fundamentally a policy problem. We need standardized and uniform disclosure and reporting laws, prescribed language for those disclosures and reports, regulation and licensing of negotiators. Far too much happens in the shadows or is obfuscated by weasel words. It's counterproductive and helps only the cybercriminals.”

Genetic data theft has potential consequences that could stretch beyond current use cases, particularly as AI tools become more accessible for nefarious use. We’re watching to see what happens next with 23andMe – and how the cybersecurity community responds.