When details of a hack at DNA testing firm 23andMe first came to light the news made few headlines – the eyes of the world were on Israel and Gaza.
Initial reports suggest around a million people’s accounts had been accessed, but the latest update suggests 6.9 million customers were affected.
23andMe provides users with a comprehensive ancestry breakdown based on their DNA and, according to the leaked data, its customers include Elon Musk and Mark Zuckerberg – although this has not been verified.
The company maintains the data breach was not a hack of company systems, but a mass targeting of individual users, in what is known as a ‘credential stuffing’ attack. This is where hackers test usernames and passwords from previous hacks to see if people are using the same details – although a number of users maintain their details were unique and their accounts could not have been accessed this way.
Credential stuffing is the digital equivalent of opportunistic burglars trying all the doors on a street.
Such hacks are not uncommon, but this did raise a big question – what use is your DNA to a hacker?
To clarify, according to 23andMe, and from the information posted online, no actual genetic information was taken. High-level account data was accessed, such as personal information and users’ geographic ancestry breakdown.
This shows where a person’s genes have come from. For example, a user may be of 50% Irish heritage, 25% Norwegian, 12.5% Welsh and 12.5% Baltics.
Which is curious information to steal.
‘The main value from this hack is going to be personal information that might be used in scams later,’ says Professor Alan Woodward, a cyber security specialist based at the University of Surrey.
‘Names, addresses, telephone numbers, general personal information – hackers tend to sell this on to scammers, who can then write spam emails that are more targeted. It’s ‘Dear Alan’ rather than ‘Dear valued customer’, so you think they know who you are and that it must be legitimate.
‘But in terms of the genetic information itself, it may have some value in the future, but today I can’t see how they would monetise it – I’d say it’s a fairly opportunistic hack.
‘I’d be more concerned if someone had my fingerprints. Biometric data, like your face, your fingerprints, can’t be changed once it’s out in the public, and can be used to access things.’
But the information generated by commercial DNA tests is not limited to geography. The results also share medical predictions, showing your likelihood of developing particular diseases or characteristics, such as Alzheimer’s, diabetes or male pattern baldness.
‘That information may be important in society one day, perhaps for insurance companies,’ says Professor Woodward. ‘It’s one of those things you’d rather not have out there, but probably won’t put you at risk now.’
However, the medical information supplied by these tests does raise concerns over ‘DNA hacking’ closer to home.
What is to stop a person checking whether their prospective partner is likely to go bald, or develop cancer, or have a genetic predisposition to alcoholism?
Perhaps the results could be used to sabotage someone’s career, highlighting health risks that may limit their working life. Would a company hire a 58-year-old to be its new CEO if they knew she or he had a high chance of developing dementia?
Technically, there is protection in place against such DNA hacking.
Under section 45 of the UK Human Tissue Act of 2004, the non-consensual retrieval of another person’s bodily material for genetic analysis is a criminal offence.
Proving this has taken place, however, can be tricky, and it is not a high priority for the police. It is also difficult, if not impossible, for commercial companies to verify the DNA being tested belongs to the person giving the sample when it is sent by post rather than taken in person.
And samples may not always be sent ‘secretly’ for nefarious purposes – some users may wish to surprise family members or loved ones with their results.
A high-risk move.
Tales of lives being shattered by the results continue to grow. People who were adopted or the result of infidelity have had the news broken to them on a computer screen. Stories told about a family’s history can be exposed as fiction, and spouses have discovered they’re related.
However, when it comes to the cold, hard data, unwittingly having your DNA sampled could have other repercussions.
‘There are civil liberty concerns as well,’ says Professor Woodward. ‘If you’ve had your DNA taken by the police, they shouldn’t keep it unless you’re charged, because what you don’t want is the police having a general database and just running any DNA found at a crime scene against it.’
Yet with more than 100 million people estimated to have submitted their DNA – or had it submitted on their behalf – to various testing companies, it is not beyond the realm of possibility that one day that is what they’ll have.
In 2018, one of California’s most prolific serial killers and rapists Joseph James DeAngelo was arrested after police matched his DNA to a relative who had had their DNA tested online. He later pled guilty to multiple counts of murder and kidnapping.
Major commercial companies such as 23andMe and Ancestry state they do not voluntarily comply with law enforcement, although their terms and conditions do provide for exceptional circumstances.
However, investigative genetic genealogy as it is known does not necessarily require backdoor access to the big names. DeAngelo was caught after the police searched GEDmatch, a free, online database that users can add their results to after taking a commercial test.
Following the recent hack, there is a lot more such information out there.
Many people won’t mind, in the same way they are happy to share their date of birth while shopping, telephone number while booking a restaurant and address while signing up to an app.
All of these add to your digital footprint, and of them all, right now your DNA is the least valuable.
But this is 2024. How the data could be used in the future is as yet unknown, and once out there, will be very hard to get back.
As always in these scenarios, the message is clear. Always use a strong password – and never reuse them. Your future self will be grateful.
Future clones that now can’t be built may not be.
MORE : Royal Family website ‘hacked in Russian cyber attack’
MORE : In praise of the password – the key to your digital kingdom
MORE : ‘Relentless’ Russian cyberattacks on UK nuclear base raise risk of World War Three, expert warns
Follow Metro across our social channels, on Facebook, Twitter and Instagram
Share your views in the comments below
Get your need-to-know
latest news, feel-good stories, analysis and more
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.