23andMe Data Security Event Raises Concerns for Minority Health Data

November 01, 2023 - Minority groups are at risk following a potential data security event involving 23andMe may have resulted in health-related data and personally identifiable information (PII) of certain minority groups exposed on the dark web.

Senator Bill Cassidy (R-LA) recently wrote to 23andMe CEO Anne Wojcicki, raising concerns that a data leak disclosed earlier this month could be putting people who are of Jewish and Chinese heritage at risk. The data involved the unauthorized disclosure of 1.3 million customers’ information, including  PII of 1 million customers identifying as people of Ashkenazi Jewish descent and 300 million customers identifying as people of Chinese heritage, Cassidy said.

Hackers posted information including name, sex, birth year, location, photos, health information, and genetic ancestry results to the dark web through a database entitled, “Ashkenazi DNA Data of Celebrities.”

“Genetic information is particularly sensitive, carrying health and personally identifying information that can be used against its owners,” Cassidy wrote. “To this point, one commenter on the posted list proclaimed, ‘Crazy, this could be used by Nazis.’ This posting comes at a time of increasing rates of global antisemitism and anti-Asian hate, which can be leveraged to draw higher prices for the information and increase the threat from potential evildoers.”

News sources have reported that hackers with information allegedly stemming from the 23andMe incident have offered to sell the records for between $1 and $10.

In addition to potential hate crimes and race-driven events, Cassidy also explained that unauthorized disclosure of health-related information could negatively impact individuals. For example, Ashkenazi Jewish ancestry is associated with higher risks of Gaucher disease, Canavan disease, Tay-Sachs disease, Crohn’s disease, and breast, ovarian, and prostate cancer.

“Such information in the hands of employers, potential employers, foreign governments, hostile actors, and others could be used to discriminate against individuals associated with the group,” Cassidy wrote.

The lawmaker is seeking answers from 23andMe on information regarding the alleged data security incident. Cassidy said the statement released by the California-based personal genomics and biotechnology company claims systems did not experience a data breach, but rather hackers used user passwords to scrape information from the platform’s DNA Relatives feature.

23andMe does not have any indication at this time that a data security incident occurred within its systems or that the company was the source of the account credentials that were used in the attacks. Threat actors may have accessed certain accounts in which users recycled login credentials, including usernames and passwords, that may have been used on other websites that have been previously hacked.

Still, Cassidy wants to know when the company became aware of the security incident, the protocols it followed once it detected the potential security incident, and when and how the company notified users.

Other questions for 23andMe related to regulatory and contractual obligations the company is subject to as holders of individual genetic data and the phenotypes evident from the data. What cyber and physical safeguards does the company have in place? And is it accredited by any privacy and security organizations?

Cassidy expects answers to these questions and several more related to audits, user access, large-scale downloads, past data breaches, remediation actions, and breach prevention by November 3rd.

“Given that your company has 14 million users, the potential for sensitive user data breach is immense and could extend beyond this serious incident.10 It is critical that you take the necessary precautions to protect your customers from breaches that can have serious impacts on their livelihoods and wellbeing,” Cassidy stated.

CORRECTION: The article was updated to reflect clarifications from 23andMe regarding the data leak, including that the company has no indication a data security incident occurred within its systems.