The hackers targeted 23andMe, a California laboratory specializing in DNA testing. They managed to break into the system using passwords recovered from previous cyberattacks. Result: the data of some customers, with or without DNA details, is now being sold for up to $10 each.
Published
Reading time: 2 mins
:quality(50)/2023/12/09/000-34722bt-65742ad50df1b510369384.jpg)
It was one of the Black Friday promotions: 79 dollars – less than 100 euros – the kit to return by mail, to find out who you are, to confirm a relationship or not, using DNA. 14 million customers had already been convinced by the saliva kit from the 23andMe laboratory, until the announcement of the hack.
On October 6, we discovered that the company had been targeted – it would be again a few days later – but we had no idea of the seriousness of these intrusions. We had to wait until last Monday, almost two months, to discover the extent of the theft of this very special data, which is DNA.
Half of the 14 million customers
According to 23andMe, less than 0.1% of its customers are directly affected: up to 14,000 people whose DNA tests are in the wild, but hackers have also recovered “a significant number of files” containing the relationships of other users. And these are much more numerous: 6.9 million. Among the stolen data: the name, the year of birth, the percentage of DNA in common with their relatives, and for some, part of the family tree and the geographical location that some of them had agreed to share.
Almost 7 million customers affected, therefore, out of 14 million customers in total. And yet, business continues, almost as if nothing had happened. 23andMe may well have announced the strengthening of the identification of its customers, before accessing its website – now requiring, finally, double authentication – the laboratory has also updated its general conditions of use, very discreetly . It was last November 30.
A mediator to avoid lawsuits
The new version of this contract, which any new customer must accept by creating an account, is supposed to avoid lawsuits and group actions for the laboratory, by requiring it to go through a mediator, who decides, in the event of a dispute, including in cases of cyberattack and DNA data leak, without possibility of appeal. However, eight days after the initial announcement, at the beginning of October, several complaints had already been filed.
Since November 30, customers of 23andMe began to be notified by email. If they do not expressly refuse the new conditions within 30 days, they will no longer be able to take the matter to court. This is precisely what the laboratory is hoping for in the event of a new DNA data leak, and provided that it recovers.