Is the 23andMe data leak just the “first shoe to drop” in the DNA data sector?

The threat actor thought to be behind the compromise of 23andMe user accounts has now leaked more than four million data profiles.

A couple of weeks ago, 23andMe confirmed that attackers had successfully gained access to user accounts via credential stuffing. This is where accounts are compromised using login credentials obtained from breaches elsewhere.

The attacker then leaked stolen data onto criminal forums. Specifically, it shared the data of one million Ashkenazi Jews, scraped from users who had used 23andMe for genetic and ancestry research purposes.

Related reading: How sci-fi tech influences healthcare

In an update from 9 October, 23andMe said that “certain 23andMe customer profile information that they opted into sharing through our DNA Relatives feature, was compiled from individual accounts without the account users’ authorisation”.

This enabled a large amount of data to be stolen from a limited number of compromised accounts. That this included “information about users’ DNA Relatives profiles” is of obvious concern here.

Wired reported that 23andMe user profiles were being offered for as little as $1 each, rising to $10 depending on the data covered.

An investigation by TechCrunch reporters confirmed that some of this leaked data matches that of known 23andMe users and genetic information. A 23andMe spokesperson said that it was reviewing the data to determine legitimacy.

Meanwhile, the investigation into the attack is ongoing. “We do not have any indication at this time that there has been a data security incident within our systems,” 23andMe said, “or that 23andMe was the source of the account credentials used in these attacks.”

It encourages users to enable multi-factor authentication and use a strong password. Advice that we would extend to anyone at any time, particularly if you have used a DNA service.

What experts say about the 23andMe data leak

“Valid credentials, obtained from previous data leaks or breaches, provide threat actors with potential access to sensitive data,” said Tyler Farrar, CISO, Exabeam.

“Organisations should be able to establish a clear behavioural baseline for users and devices on their network. Understanding ‘normal’ behaviour allows for the identification of deviations that may signify compromised credentials. Remember — you ought to know your network and your people better than the attackers.”

Referring to class action lawsuits understood to have been initiated, Roger Neal, Head of Products at Apona Security, warned that “the fallout for 23andMe is manifold; it’s grappling with a potential financial drain running into billions alongside a tarnished reputation which could deter current and prospective customers.”

Meanwhile, Ken Westin, Field CISO at Panther Labs, is concerned about regulation for the wider DNA mapping industry. “For the most part, the protection of DNA data has been unregulated, at best, it’s been treated like PII,” he said. “This recent attack is incredibly troubling, as the attackers specifically targeted an ethnic group and exposed sensitive information about individuals based on ethnic heritage.”

Westin blames the slow pace of regulation and action by law enforcement around the use and protection of DNA data for creating a perfect storm for adversaries to exploit and profit from incredibly sensitive data. “I’m afraid to say this is just the first shoe to drop when it comes to the breach of DNA data.”

Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.