The consumer DNA harvesting king exposed 6.9 million people’s data. We’ll never know exactly what goes wrong from here.
Earlier this week, 23andMe admitted that an October hack was dramatically worse than the company initially admitted, affecting 6.9 million people, not the 14,000 it first reported. 23andMe followed up with an early Christmas present for users: a terms of service update that funnels disgruntled users into a mass arbitration process instead of a class-action lawsuit. The stolen data includes full names, genetic information, and more, but despite the sensitivity of the information, some consumers responded with a shrug. As one TikTok user commented on a video about the subject, “What are they going to do, to clone me?”
Hackers probably won’t use your DNA information to make you a lab-grown baby brother, but experts agree: this hack is a catastrophe.
“The truth is that none of us fully know the implications of this breach today, only the certainty that it will grow worse over time,” said Albert Fox Cahn, Executive Director of the Surveillance Technology Oversight Project. “The ability to weaponize DNA data will only grow more acute as computers grow more powerful. From our health profiles to our family trees to far subtler details of our biology, this hack could potentially reveal so much.”
According to a 23andMe spokesperson, hackers stole data including people’s names, birth year, relationship labels, family name, and location. An additional 1.4 million people who opted-in to DNA Relatives also “had their Family Tree profile information accessed.” The worst, however, was the genetic info. Not only did hackers steal information about the percentage of DNA users shared with relatives, but 23andMe also leaked ancestry reports and matching DNA segments (specifically where on their chromosomes they and their relatives had matching DNA).
It seems this data is already up for sale. Wired reported in October that a user has advertised stolen 23andMe data on a well-known hacking forum around the time of the data breach. The user published the alleged data of one million users of Jewish Ashkenazi descent and 100,000 Chinese 23andMe users as proof, asking for $1 to $10 per person in the data set.
In general, companies have a legal obligation to protect their customers from data breaches. Under other circumstances, the 23andMe hack could expose the company to lawsuits, but that’s taken care of thanks to an “arbitration clause” in its terms of service which forces you to give up your right to sue.
