Experts: 23andMe Hack Is DNA Catastrophe; Leaked Millions of Genetic Profiles

SAN FRANCISCO, CA – Earlier this week, in a startling revelation, 23andMe conceded that a hack in October was significantly worse than initially reported. Affecting nearly 6.9 million people, the scale of this data breach was shockingly larger than the initially stated figure of 14,000 users. Regrettably, the stolen data contained not only sensitive information such as full names, but genetic profiles. Yet, the severity of the situation was met with indifference by some consumers. As stated by a TikTok user, “What are they going to do, clone me?” While this remark adds a dash of humor, the implications of this breach experts say is catastrophic.

Albert Fox Cahn, Executive Director of the Surveillance Technology Oversight Project, amplified the gravity of the situation. “The truth is that none of us fully know the implications of this breach today, only the certainty that it will grow worse over time,” he said. The prospects of weaponizing DNA data, with the advent of increasingly powerful computers, raises concerns from health profiles to family trees and other intricate biological details.

The expanse of data theft, as stated by a 23andMe spokesperson, included individuals’ names, birth year, relationship labels, family name, and location information. An additional 1.4 million customers who opted-in to DNA Relatives had their Family Tree profile information exposed. However, the theft of genetic information appeared to be the most concerning; revelations included the percentage of DNA users shared with relatives, ancestry reports, and matching DNA segments.

Regrettably, the stolen data promptly found its way to illegal markets. A user was reported to have already offered selling the stolen 23andMe data on a well-known hacking forum around the time of the data breach. They provided alleged information of one million Jewish Ashkenazi and 100,000 Chinese 23andMe users as proof, setting a price range of $1 to $10 per person.

In the wake of this immense violation of privacy, the legal team at 23andMe swiftly issued a terms of service update to limit the company’s exposure to lawsuits. This policy update implies a shift towards binding arbitration, which essentially means resolving disputes outside of court—the update strictly prohibits a class-action lawsuit against the company, unless each individual opts out of the arbitration. The company provided an email address for opting out but chose to place this vital information discreetly at the end of the fifth section of its updated terms.

Given the frequency and magnitude of data breaches, it might be challenging for some to understand why this particular incident holds such significance. Technology giants like Google and Meta continually amass trillions of data points. The reality, however, is the inconspicuous ways this information can be maneuvered. What may not seem immediate or relevant can significantly modulate your life, often unbeknownst to you.

And yet, the potential misuse of such data is not limited to current possibilities. Gene science is a rapidly expanding field, and future technologies may be able to extrapolate far more than we can currently comprehend. The abundance of floating data on the internet poses a persistent concern. Thus, although some seem to shrug at the silver screen-like prospects of “cloning,” the potential implications of this data breach on your privacy and future alludes to an alarmingly cautionary tale, to not underestimate the power of one’s own data, and the critical responsibility organizations have in protecting it.

In a world focused on data-driven advancements, privacy concerns often lurk as the unfortunate baggage that comes with the territory. It’s a stark reminder that trust bestowed upon companies to hold personal information sacred and inviolable should be the cornerstone of their functioning. As is clear with the 23andMe hack, even a single breach can compromise the privacy of millions, creating an urgent demand for robust protective measures.