In light of current global events, a cyber attack on DNA testing company 23andMe earlier this month received little attention with hackers stealing a million people’s DNA.
According to the leaked data, the popular company gives users with a detailed lineage breakdown based on their DNA, and its customers include Elon Musk and Mark Zuckerberg – but this has not been confirmed.
The data leak was caused by a ‘credential stuffing’ attack on individual users rather than a hack of company systems. This is where hackers test prior hacks’ usernames and passwords to check if individuals are using the same information.
It’s the equivalent of opportunistic robbers attempting every door on a street.
Such attacks are not rare, but it does pose an important question: what good is your DNA to a hacker?
To be clear, no actual genetic information was obtained, according to 23andMe and the material put online. High-level account data, such as personal information and geographic ancestry breakdowns, were obtained.
This demonstrates where a person’s genes originated. A user may, for example, be 50% Irish, 25% Norwegian, 12.5% Welsh, and 12.5% Baltic.
“It is an opportunistic hack”
‘The main value from this hack will be personal information that could potentially be exploited in frauds,’ says Professor Alan Woodward, a cyber security expert at the University of Surrey.
‘Names, addresses, phone numbers, and general personal information are commonly sold by hackers to scammers, who may then send more targeted spam emails. Because it’s addressed to ‘Dear Alan’ rather than ‘Dear valued client,’ you assume they know who you are and that it must be authentic.
‘However, in terms of the genetic information itself, it may have some value in the future, but I can’t see how they’d monetize it today – I’d call it an opportunistic hack.
‘I’d be more worried if they had my fingerprints. Biometric data, such as your face or fingerprints, cannot be changed once it is in the public domain and can be used to get access to objects.’
However, the data obtained by commercial DNA tests is not confined to geography. The results also include medical forecasts that reveal your chances of having specific diseases or features, such as Alzheimer’s, diabetes, or male pattern baldness.
‘That information may one day be useful in society, possibly for insurance firms,’ adds Professor Woodward. ‘It’s one of those things you’d rather not have out there, but it’s unlikely to put you in danger right now.’
However, the medical data provided by these tests raises concerns about ‘DNA hacking’ closer to home.
What’s to stop a person from researching whether a potential mate is prone to baldness, cancer, or a hereditary propensity to alcoholism?
The findings could be used to destroy someone’s career by identifying health problems that could shorten their working life. Would a corporation hire a 58-year-old as CEO if they knew she or he had a significant risk of getting dementia?
Technically, there are safeguards in place to prevent such DNA hacking.
Non-consensual extraction of another person’s biological material for genetic study is a criminal offense under Section 45 of the UK Human Tissue Act of 2004.
However, proving this has occurred might be difficult and is not a top priority for the police. It is very difficult, if not impossible, for commercial companies to confirm that the DNA being analyzed belongs to the person providing the sample when it is sent by post rather than taken in person.
Furthermore, samples are not always sent secretly for malevolent motives; some users may want to surprise family members or loved ones with their results.
This is a high-risk move
Stories of lives being ruined as a result of the outcomes continue to emerge. People who were adopted or were the consequence of infidelity were told the news on a computer screen. Stories told about a family’s history can be proven to be false, and spouses have found they are connected.
However, when it comes to cold, hard statistics, having your DNA tested unknowingly could have additional consequences.
‘There are also civil liberties concerns,’ argues Professor Woodward. ‘If the police have obtained your DNA, they shouldn’t store it unless you’re charged, because you don’t want the police to have a broad database and just run any DNA found at a crime scene against it.’
With over 100 million people reported to have given their DNA – or had it submitted on their behalf – to various testing companies, it’s not out of the question that they’ll have that one day.
Joseph James DeAngelo, one of California’s most prolific serial murderers and rapists, was captured in 2018 when authorities matched his DNA to a relative who had their DNA tested online. Later, he pled guilty to several counts of murder and kidnapping.
Major commercial companies such as 23andMe and Ancestry declare that they do not voluntarily collaborate with law enforcement, despite the fact that their terms and conditions allow for extraordinary cases.
However, so-called investigative genetic genealogy does not always necessitate backdoor access to the major names. DeAngelo was apprehended after authorities conducted a search of GEDmatch, a free online database to which anyone can add their findings after taking a commercial test.
There is a lot more such information available now as a result of the current attack
Many individuals will not object, just as they are willing to disclose their date of birth when shopping, their phone number when booking a meal, and their address when signing up for an app.
All of them contribute to your digital footprint, and your DNA is now the least important.
But it’s 2023. It is unknown how the data will be used in the future, and once it is out there, it will be extremely difficult to recover.
The message is always apparent in these instances. Use strong passwords and never reuse them. Your future self will thank you.
Future clones that cannot be constructed now may not be built in the future.