Genetic testing company 23andMe disclosed additional details this weekend about a data breach it first reported in early October, revealing that the personal information of nearly 7 million customers was accessed by hackers.
Initially, 23andMe said that hackers had accessed the data of roughly 0.1% of its customers, amounting to around 14,000 users. However, TechCrunch reported that a spokesperson from 23andMe confirmed on Saturday that the breach was much larger, encompassing genetic data and ancestry reports of approximately 6.9 million individuals.
The recently disclosed numbers show that the 23andMe data breach impacted almost half of the company's reported 14 million total customers.
According to Katie Watson, a spokesperson for 23andMe, hackers were able to access the personal information of 5.5 million customers who had opted into the DNA Relatives feature. This feature allows users to connect and share ancestry data with genetic matches in the 23andMe database.
For the 5.5 million DNA Relatives users impacted, the breached data included full names, birth years, family relationship information, percentages of shared DNA, ancestry reports, and self-reported locations.
Additional 1.4 Million Family Trees Accessed
An additional 1.4 million 23andMe customers who had built out Family Tree profiles also had personal information stolen by hackers.
For these 1.4 million affected users, the breach included display names, birth years, relationship details, self-reported locations, and whether they had chosen to make their profiles public.
Hackers Able to Leverage Relatives Feature
23andMe utilizes the DNA Relatives tool to match customers with genetic relatives across its user database. As a result, by gaining access to a single user's account, hackers were able to view personal information on all of that user's matched relatives as well.
This account linking through the DNA Relatives feature dramatically multiplied the amount of customer data that the hackers could access in the breach. Initially penetrating just 14,000 individual accounts, the hackers were able to leverage those to reach genetic data on nearly 7 million total customers.
Breach Details Still Unclear
Many questions remain unanswered about the specifics of the 23andMe breach.
It is unclear why 23andMe did not reveal the full extent of exposed customer data back in October when it first reported the hack. The company simply cited reused passwords allowing brute force attacks as the method hackers utilized to break into accounts.
There is still no word on whether law enforcement has been involved in investigating the data theft or if 23andMe has been able to identify the perpetrators.
The 23andMe breach underscores growing apprehensions about privacy vulnerabilities stemming from consumer genetic testing services.
Genetic profiles contain highly sensitive markers relating to health conditions, ancestry, family connections, and more. Having this data fall into the wrong hands could lead to identity theft, targeted phishing scams, genetic discrimination, and other forms of fraud or abuse.
As direct-to-consumer genetic testing providers like 23andMe amass genetic profiles on millions of users, critical questions around data protection continue mounting. Events like this latest breach will undoubtedly heighten scrutiny and skepticism regarding the entire ecosystem.