About the author: Justin Sherman is the founder and CEO of Global Cyber Strategies, a Washington, D.C.-based research and advisory firm, a senior fellow at Duke University’s Sanford School of Public Policy, and a nonresident fellow at the Atlantic Council.
The genetic information of nearly seven million people has been compromised after a hacker targeted genetic-testing company 23andMe. The hacker used passwords that individuals had reused elsewhere to gain access to about 14,000 customers’ accounts, the company disclosed, then used 23andMe’s social features to view the information of millions more.
23andMe says that the breach was a credential-stuffing attack, meaning users had logins and passwords stolen elsewhere that they had also recycled for their 23andMe accounts. “We do not have any indication that there has been a breach or data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks,” the spokesperson said. Hackers accessed 5.5 million individuals’ names, birth years, relationship labels, DNA similarity to relatives, ancestry reports, and more—and accessed another 1.4 million people’s Family Tree profile information.
It’s a devastating breach for a variety of reasons. Many consumers have gotten used to changing their credit card numbers after a security incident, but you cannot change your DNA. Information gleaned from your genetic data samples are unique to you and can last forever. It’s also not the first time Americans have had their data compromised via a genetic-testing company. In September, for instance, the Federal Trade Commission finalized an order with genetic company 1Health.io, which had stored customers’ genetic data, unencrypted, on a public server alongside consumers’ names.
The U.S. lacks comprehensive privacy laws. These breaches of genetic information underscore the incredible surveillance, cybersecurity, and privacy harms that stem from the U.S.’s regulatory inaction. By failing to impose the most basic legal and regulatory requirements for companies handling data, and especially for companies handling highly sensitive genetic information, the U.S. undermines its own citizens’ privacy, national security, and international credibility. It also limits the potential for genetic-data innovations that have wide societal acceptance. These problems will continue until the U.S. passes laws and regulations that raise the bar of protections for genetic and other highly sensitive data.
All told, 23andMe has a wealth of data about consumers, their genetics, and their families, with over 14 million customers worldwide. It offers genotyping tests, among other services, that examine variations in an individual’s DNA and then map that to the likes of medically relevant genes and known disease associations. Consumers can obtain a testing kit from the company, mail in a saliva sample, and then receive their results online. But that’s not the only way the company makes money with customer data. In 2018, 23andMe signed a five-year deal with pharma giant GlaxoSmithKline to use that genetic genetic data for drug research and discovery. 23andMe shared “statistical analytics” as well as what 23andMe describes as “aggregate and de-identified data” from consenting customers. The company sent a link to a blog post that says de-identified data does not identify particular individuals, but it’s unclear exactly how that would work. GSK recently extended the agreement and agreed to pay $20 million for one year of access to data.
Wired reported in October that hackers had posted information from people of Ashkenazi Jewish and Chinese ancestry on the dark web, taken from 23andMe. Hackers also published a dataset targeting customers whose ancestors come from Great Britain.
The harm from this breach—and from other incidents like it—touches millions of Americans. Genetic data has great potential in medicinal and clinical research contexts, such as advancing gene therapy to fight disease, but there is also tremendous risk. Stolen DNA gives nefarious actors information that is permanently unique to that person. One person’s genetic information can also be connected to their relatives, widening the scope impact of a single data breach and raising all kinds of complicated privacy questions. And as new technologies are developed, it is incredibly difficult for consumers, policymakers, and even industry experts to anticipate exactly how genetic data could be traced, identified, used, and exploited decades into the future. Social media gives hints to how these problems can unfold. Consumers posting pictures to social media in the early 2000s likely didn’t consider how in 2023 companies they’ve never heard of could scrape those images to build facial recognition for policing or even generate nonconsensual, fake sexual imagery. Yet, that happens today. It’s hard to forecast how the damage of genetic data breaches will unfold years down the line. The potential for genetic data exploitation is only likely to increase.
But the harms aren’t just to individuals. The U.S. as a whole is at risk from policy makers’ failure to implement strong privacy and security requirements for genetic and other data. While Beijing had regulations come into effect in July to tightly control the use and export of genetic data, the U.S. system allows terrible data privacy and security practices to thrive. Congress has yet to pass a comprehensive privacy law for companies that handle all kinds of consumers’ data. It likewise has not passed legislation about company cybersecurity practices and the protection of genetic and other highly sensitive data. The Chinese government, meanwhile, is coupling its clampdowns on genetic data outflows with continued hacking campaigns and foreign investments to acquire genetic information from the U.S. and other countries, for possible use in research and intelligence activities. Not shoring up restrictions on genetic data collection and protections for genetic datasets only makes this illicit acquisition and espionage easier for foreign states.
Other countries see the U.S. championing itself as the world leader in responsible technology, but have to weigh that against a largely unregulated landscape where companies are not incentivized toward robust cybersecurity and can legally sell genetic data. For the U.S. to protect its citizens, defend its national security, and credibly promote responsible tech policy at once, it must get its own house in order. This includes focusing on genetic data as a valuable case study and a source of high risk. For instance, companies should be compelled to better segment internal systems so hackers can’t hop from thousands of people’s accounts to millions of people’s genetic information. Policymakers and lawyers should use debates about what constitutes “reasonable security” to help define liability for bad practices. Congress should give regulatory agencies, like the Federal Trade Commission, far more resources to conduct privacy enforcement against companies like 1Health.io that purport to help consumers while exposing their genetic data unencrypted on public servers.
Perfect cybersecurity is impossible, and as long as these kinds of genetic databases exist, hackers will try to break into them. The U.S. should take that risk as an opportunity to promote balanced but firm data privacy and cybersecurity requirements that shift the market in the right direction.
Guest commentaries like this one are written by authors outside the Barron’s and MarketWatch newsroom. They reflect the perspective and opinions of the authors. Submit commentary proposals and other feedback to [email protected].
Read the full article here