Is it safe to have your ancestry data online? Here's what experts say.
Millions of people use genetic testing companies like 23andMe to learn more about their ancestry and health. But a new data breach is highlighting the risks of having your ancestry information stored online — and what it might be used for in the event of hacking. Here's what to know.
What’s happening
In October, 23andMe announced that approximately 14,000 23andMe users’ accounts were breached; according to the company, the stolen data — which some hackers tried to sell via online forums — “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.”
It's since been revealed that the hackers used those compromised accounts to also access another 6.9 million profiles connected to the users’ DNA relatives and those on their family tree. Data from the DNA Relatives profiles consists of information that a customer chooses to make available to their genetic relatives, such as display name, predicted relationships and percentage of DNA shared with matches, when they opt in to that feature. Data from Family Tree profiles includes a limited subset of DNA Relatives profile information and does not include ancestry information such as the percentage of DNA shared with genetic matches or ancestry reports. The BBC reports that no DNA records were stolen.
The breach was done through credential stuffing, a process that involves accessing usernames and passwords that were used on the 23andMe site as well as other websites that have been compromised. In other words, users reused the same username and password on 23andMe that they did on other sites, making it easier for hackers to break into. When asked for comment, 23andMe directed Yahoo Life to this statement posted on its website: “We do not have any indication that there was a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks."
However, John Gilmore, head of research at DeleteMe, says the company should be criticized for handling extremely sensitive data without requiring two-factor authentication as a basic requirement of using their service. Two-factor authentication gives access to a website or application only after a user provides two or more pieces of evidence to prove who they are, such as entering a password and then confirming their identity via phone or email.
“They designed their system to let anyone log in with a username and password, which is technology that is already 10 years old. This is negligent,” Gilmore tells Yahoo Life. On its website, 23andMe states that it now requires current and new customers to login using two-step verification.
How bad is it to have your ancestry data — or more — out in the world?
While, as Engadget reports, 23andMe has insisted that no genetic material or DNA records were taken in the hacking of its ancestry data, the incident does raise implications for what might happen in the future, and how certain groups could be targeted. (Already, NBC News notes, hackers have been able to single out and publish data belonging to 1 million users of Jewish Ashkenazi descent, sparking concerns.)
While any breach of personal information such as name, address, email and bank account is worrisome, Katie Hasson, associate director of the Center for Genetics and Society, says it’s not clear what the immediate impact is of having one’s DNA data breached.
“There are already vast amounts of personal data that are being sucked up all around the internet from purchases and other things being collected and sold for marketing and targeting in various ways. Thinking about the potential that genetic data will start to get folded into all of that with our profiles is concerning,” she tells Yahoo Life.
Because genetic data is permanent — unlike a credit card number, which can be changed — and because it is sensitive in relationship to your current relatives and possible descendants, Hasson notes that protecting the information is important. “Your DNA data has health information in it and ancestry estimates, and any of these could potentially be used,” she says.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not protect people against breaches or the selling of DNA and health information outside of health care settings. “If you share this data with your doctor, it’s protected under HIPAA, but if you share it with a private company, the only privacy protection you have is what the company states in its terms of service,” says Hasson. “A lot of times in the terms of service, it states that data can be shared with their partners, which means it can be extended to multiple companies, or sold to pharmaceutical companies and researchers.”
There are also questions about what happens to the data if a company goes out of business or loses part of the business, she adds.
Why the future of DNA misuse is unknown
Research in genetics moves quickly and there could be ways to misuse it that even security experts haven't yet predicted.
“A perfect example of this is a decade ago, when everyone signed up for Facebook or other social networks at the time," says Hasson. "No one had the idea that there would be any risks or that there would be data breaches and ways people could use users’ information for political campaigns," she adds, referencing the Cambridge Analytica privacy scandal.
Gilmore agrees. While he thinks a breach like that of 23andMe doesn’t have an immediate threat related to DNA, he says down the road, a breach like this one could. “Right now, you can’t use DNA to fake an eyeball or fake human behavior, but you can use DNA to identify groups of people,” he says.
For instance, stealing DNA may not by itself have an immediate technical application, but Gilmore asks: What if you could put it into a spreadsheet and filter people by certain phenotypes or genetic characteristics, and create a target list from that? “It can be useful as a sorting mechanism to find the same types of people,” he notes. It's unclear what someone would then do with that targeted list.
What should you do?
Despite the risks of having ancestry data leaked, 23andMe and other genetics-related websites do provide services — including finding relatives, getting information about one's health or flagging any genetic markers that could be passed on — that many users find invaluable. For those who still want to access that data, Gilmore advises taking the following steps to protect your information online:
Only share your personal and health information with websites and applications that use two-factor authentication.
Take data hygiene seriously. “Take a closer look at how and what you share with third parties. Get a password manager and change your passwords, close old accounts and delete your records because one day they’ll get breached,” says Gilmore.
Stop sharing your home address and schools you attended on social profiles. “Take your professional information off of open access on LinkedIn, because all that information is being scraped and later collected. It doesn’t mean going totally anonymous; it just means [limiting] anything other than your name,” Gilmore says.
Have a service perform a dark web security scan, which searches for information about you, including stolen usernames and passwords. “Usually it finds old data from two or three years ago, but may be worth it,” says Gilmore.