Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 11 submissions in the queue.
posted by janrinok on Monday October 28, @12:04PM   Printer-friendly
from the all-your-DNA-are-belong-to-us dept.

Since it was founded nearly two decades ago, 23andMe has grown into one of the largest biotechnology companies in the world. Millions of people have used its simple genetic testing service, which involves ordering a saliva test, spitting into a tube, and sending it back to the company for a detailed DNA analysis.

But now the company is on the brink of bankruptcy. This has raised concerns about what will happen to the troves of genetic data it has in its possession.

The company's chief executive, Anne Wojcicki, has said she is committed to customer privacy and will "maintain our current privacy policy".

But what can customers of 23andMe themselves do to make sure their highly personal genetic data is protected? And should we be concerned about other companies that also collect our DNA?

[...] 23andMe has had a rapid downfall after the 2021 high of its public listing.

Its value has dropped more than 97%. In 2023, it suffered a major data breach affecting almost seven million users and settled a class action lawsuit for US$30 million.

Last month its seven independent directors resigned amid news the original founder is planning to take the company private once more. The company has never made a profit and is reportedly on the verge of bankruptcy.

What this might mean for its vast stores of genetic data is unclear.

Previously:


Original Submission

Related Stories

23andMe Says Private User Data is Up for Sale After Being Scraped 12 comments

Records reportedly belong to millions of users who opted in to a relative-search feature:

Genetic profiling service 23andMe has commenced an investigation after private user data was been scraped off its website

Friday's confirmation comes five days after an unknown entity took to an online crime forum to advertise the sale of private information for millions of 23andMe users. The forum posts claimed that the stolen data included origin estimation, phenotype, health information, photos, and identification data. The posts claimed that 23andMe's CEO was aware the company had been "hacked" two months earlier and never revealed the incident. In a statement emailed after this post went live, a 23andMe representative said "nothing they have posted publicly indicates they actually have any 'health information.' These are all unsubstantiated claims at this point."

23andMe officials on Friday confirmed that private data for some of its users is, in fact, up for sale. The cause of the leak, the officials said, is data scraping, a technique that essentially reassembles large amounts of data by systematically extracting smaller amounts of information available to individual users of a service. Attackers gained unauthorized access to the individual 23andMe accounts, all of which had been configured by the user to opt in to a DNA relative feature that allows them to find potential relatives.

[...] The DNA relative feature allows users who opt in to view basic profile information of others who also allow their profiles to be visible to DNA Relative participants, a spokesperson said. If the DNA of one opting-in user matches another, each gets to access the other's ancestry information.

23andMe: Profiles of 6.9 Million People Hacked 18 comments

Hackers have been able to gain access to personal information from about 6.9 million users of genetic testing company 23andMe, using customers' old passwords:

In some cases this included family trees, birth years and geographic locations, the company said.

After weeks of speculation the firm has put a number on the breach, with more than half of its customers affected.

The stolen data does not include DNA records.

[...] As was first reported by Tech Crunch, the company has acknowledged that by accessing those accounts, hackers were then able to find their way into "a significant number of files containing profile information about other users' ancestry".

The criminals downloaded not just the data from those accounts but the private information of all other users they had links to across the sprawling family trees on the website.

The stolen data includes information like names, how each person is linked and in some cases birth years, locations, pictures, addresses and the percentage of DNA shared with relatives.

I'm with Bill Burr on this.

See also: 23andMe Says Private User Data is Up for Sale After Being Scraped


Original Submission

23andMe Tells Victims it’s Their Fault that Their Data was Breached 55 comments

Facing more than 30 lawsuits from victims of its massive data breach, 23andMe is now deflecting the blame to the victims themselves in an attempt to absolve itself from any responsibility, according to a letter sent to a group of victims seen by TechCrunch:

"Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events," Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch in an email.

[...] But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that "users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe."

"Therefore, the incident was not a result of 23andMe's alleged failure to maintain reasonable security measures," the letter reads.

Zavareei said that 23andMe is "shamelessly" blaming the victims of the data breach.

"This finger pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform," Zavareei said in an email.

"The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe's platform, not because they used recycled passwords. Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe's attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever," said Zavareei.

Previously:


Original Submission

23andMe Proposes $30 Million Payment for Data Breach 6 comments

Genetic information and ancestry reports of U.S. citizens were among the information stolen in the cyber attack:

23andMe proposes to compensate millions of customers affected by a data breach on the company's platform, offering $30 million as part of the settlement, along with providing users access to a security monitoring system.

The genetic testing service will pay the amount to approximately 6.4 million American users, according to a proposed class action settlement filed in the U.S. District Court for the Northern District of California on Sept. 12. Personal information was exposed last year after a hacker breached the website's security and posted critical user data for sale on the dark web.

[...] According to the settlement proposal, users will be sent a link where they can delete all information related to 23andMe.

[...] In an emailed statement to The Epoch Times, 23andMe Communications Director Andy Kill said that out of the $30 million aggregate amount, "roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage."

Also at USA Today, Fox Business and The Verge.

Previously:


Original Submission

This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Interesting) by VLM on Monday October 28, @01:00PM (9 children)

    by VLM (445) on Monday October 28, @01:00PM (#1379069)

    On one hand, the more paranoid people will demand that they're going to totally screw everyone over to make money.

    On the other hand:

    The company has never made a profit

    If they're already scrambling and "innovating" and running right up against the limits of HIPPA, etc, yet STILL not able to make a dime, then I don't see how they're going to screw everyone over to make money if they can't make money already.

    Now what I could see, is some kind of information apocalypse if nobody buys anything and they shut down completely then scrappers sell the datacenter components on ebay for pennies and technically you could find some interesting stuff on scrap drives. If there's no money there's no money for infosec. Arguably looking at headlines, they already have no money for infosec.

    • (Score: 5, Insightful) by ikanreed on Monday October 28, @01:16PM (2 children)

      by ikanreed (3164) Subscriber Badge on Monday October 28, @01:16PM (#1379072) Journal

      There is someone who made money from 23 and me, even if 23 and me itself didn't. Illumina sells absurdly expensive sequencing machines, and more importantly, absurdly expensive reagents that you need to add to every batch of DNA you sequence. They make huge year-over-year profits.

      Don't be a prospector, sell shovels.

      • (Score: 3, Interesting) by Ox0000 on Monday October 28, @03:03PM

        by Ox0000 (5111) on Monday October 28, @03:03PM (#1379079)

        You're spot on, plus a bunch of folks at 23andme made a massive amount of money themselves.

        On top of that, 23andme was also trying to be the mining concession salesperson rather than the prospector themselves; their whole spiel was pretending that the DNA information were the tracts of land with valuable veins of minerals in them, if only there were prospectors willing to mine them.

        Their business model was to whore rent out the DNA information they collected from their marks people to whoever paid them for it. It just happened to be the case that that last bit, the thing they needed to actually be profitable, never materialized (or to stick with the gold rush analogy: the tracts of land they sold concessions to were worthless and did not contain valuable veins of minerals).

      • (Score: 3, Insightful) by epitaxial on Monday October 28, @04:07PM

        by epitaxial (3165) on Monday October 28, @04:07PM (#1379084)

        I guarantee all the suits made fortunes.

    • (Score: 3, Insightful) by Unixnut on Monday October 28, @02:54PM (3 children)

      by Unixnut (5779) on Monday October 28, @02:54PM (#1379078)

      On one hand, the more paranoid people will demand that they're going to totally screw everyone over to make money.

      You don't have to be paranoid to assume they will screw over everyone to make as much as they can. After all 23andMe has obviously failed as a company, it has never turned a profit. All the "value" left in the business that you could extract can be broken down into two things:

                1. Physical assets (leases on commercial buildings, office and IT equipment, etc...)
                2. Intellectual assets (i.e. intellectual property , patents, customer information, etc...)

      The owners of the company, having failed at turning a profit, will now seek to extract as much value as they can from the carcass. Paradoxically had the company made a profit and was being sold then I would expect them take great pains to not screw over their customer base for extra money, simply because that is a fast way to ruin a profitable business.

      It brings an interesting point though. If you agree to a privacy policy with a company who then goes defunct and sells the data to another company, is that new company required to follow the privacy policy that was agreed with an entity that no longer exists?

      Normally all agreements are void when a company goes bankrupt, so in my mind the answer is "no". However when it comes to sensitive personal data that is impossible to change (i.e. biometric/DNA data) this seems like a massive legal loophole.

      As an example, if I were a hypothetical Dr.Evil and I wanted to acquire everyone's data for some nefarious purpose, I could not just ask them all to submit the data to "Dr.Evil Corp". Instead I would make some shell company that shows a nice friendly face and I get people to voluntarily submit their data in return for some service. As the goal is to collect the data it is in my specific interest that the shell company never make a profit. Once I have enough data I pull the plug on the non-profitable shell , it goes bust (and nobody is surprised it went bust, in fact people wonder how it went so long without making a profit) and I can buy up the already collected data in bulk for my nefarious purpose, sometimes even at a discount to equivalent cost of acquiring it.

      • (Score: 4, Informative) by Ox0000 on Monday October 28, @03:12PM

        by Ox0000 (5111) on Monday October 28, @03:12PM (#1379080)

        I would expect them take great pains to not screw over their customer base for extra money, simply because that is a fast way to ruin a profitable business.

        Have you actually met an MBA before?

        If you agree to a privacy policy with a company who then goes defunct and sells the data to another company, is that new company required to follow the privacy policy that was agreed with an entity that no longer exists? Normally all agreements are void when a company goes bankrupt, so in my mind the answer is "no". However when it comes to sensitive personal data that is impossible to change (i.e. biometric/DNA data) this seems like a massive legal loophole.

        That depends on how the sale happens: are they buying the assets or the business? If they are buying the assets, then the sale of those assets is what is subject to the privacy policy and the agreement you had with the company. Typically, the ToS say something to the effect of "we can sell this information", and in the case of 23andme, I believe this was their explicit business model. If the business gets sold with the intention of continuing business as the same entity (bankruptcy does not mean that the entity no longer exists, it just means that it is given protection in order to restructure itself which if successful could mean that business continues) then the agreements that were in place before, continue to be in place because there is continuity of entities on the business side and your side.

        Now when a business goes 'out of business' and liquidates, then it's a case of the first one: sell everything, for anything! What I've frequently seen in practice is that your Privacy Policy and ToS becomes meaningless because what are you going to do? Sue a non-existing/liquidating entity post-factum after your data has already been pilfered and copied and consumed by the buying party? These agreements become worthless because they also typically contain a clause that says "we can unilaterally change this at our whim", which they do just before they sell this stuff on and send you a nice e-mail saying "We're selling your stuff 30 days from today and have changed the ToS to reflect our ability to do that, if you don't want this, first stop using the site for 90 days starting today to inform us you don't want this happening".

      • (Score: 2) by JoeMerchant on Monday October 28, @04:20PM

        by JoeMerchant (3937) on Monday October 28, @04:20PM (#1379086)

        >is that new company required to follow the privacy policy that was agreed with an entity that no longer exists?

        Absolutely.

        Deed restrictions run with the land, when you buy a home from a seller who agreed to a deed restriction, you are agreeing to the same deed restriction.

        In practice? In practice bottom feeders who go around buying out bankrupt entities are going to liquidate whatever they can for whatever they can get and abscond with the profits to whatever jurisdiction won't prosecute them for their illegal profits - what's their incentive otherwise?

        --
        🌻🌻 [google.com]
      • (Score: 2) by VLM on Tuesday October 29, @12:15PM

        by VLM (445) on Tuesday October 29, @12:15PM (#1379220)

        is that new company required to follow the privacy policy that was agreed with an entity that no longer exists?

        I think we're kind of talking past each other. Aside from TOS issues, there are various laws.

        Back "in the old days" before those laws existed or were as enforced or as much attention was paid to 23andme, under must less restrictive legal environment, they couldn't make money.

        Now things are more restrictive and they can't make money.

        The paranoid part is thinking if they roll back in time and go vaguely felony gangster they'll make money so they'll "have to" break the law and go gangster and post all out G's C's A's and T's in order on 4chan, although nobody can figure out how that would make them money, AND back in the wild west days it did indeed make them no money. So they'll "have to" release our private data or have it stolen just because or something, I don't understand the reasoning.

        We seems to agree (I think?) that the most likely privacy breech is some construction crew contractor removes all the hard drives as scrap, sells them on ebay not knowing or caring whats on the drives, someone gets data. Data that you can't actually make money with, but a privacy violation none the less.

    • (Score: 3, Interesting) by JoeMerchant on Monday October 28, @04:17PM

      by JoeMerchant (3937) on Monday October 28, @04:17PM (#1379085)

      When Redbox died, they sold the customer information stored in their kiosks (and there is certainly more there than should be, and it's nowhere near as secure as it should be). Maybe they weren't charging for that customer information, but defacto they sold the info right along with the old DVDs in the machines.

      Whoever buys 23andMe's assets from receivership will certainly want whatever value they can get from the DNA, right up to and over whatever HIPAA boundaries might be crossed in the confidential files.

      Owing to the points you make about the minimal business value of the data demonstrated by 23andMe's operational lack of profits, combined with the potential for extreme negative effects that such data might bring to the former clients who entrusted 23andMe with it, as judge I would tell the creditors to forget about getting any value from the data and just order it wiped. That data, in the hands of the insurance industry (assuming it's not already there) could be used for blacklists, pre-existing conditions witch hunts, etc.

      On the one hand: Transparency is Always The Answer. Insurance companies should be publicly auditable as to their client charge tables, payout amounts, etc. etc. etc. Others who might discriminate against certain classes based on their DNA profiles should also be sufficiently transparent about their operations to solidly assure the public that discrimination is not happening. Companies that base hiring decisions on DNA profiles should be completely transparent about how that is done: (i.e. predisposition to dementia combined with advanced age _should_ be a disqualifier for safety critical jobs like Air Traffic Controller...) Were that all so, we might all benefit tremendously by being forthright about our DNA profiles, correlating them to diseases, successful and unsuccessful treatments of the diseases, etc. But, until lack of significant discrimination is assured, it is in most people's best interests to keep their DNA as private as they can.

      --
      🌻🌻 [google.com]
    • (Score: 3, Insightful) by Frosty Piss on Monday October 28, @07:36PM

      by Frosty Piss (4971) on Monday October 28, @07:36PM (#1379117)

      I don't see how they're going to screw everyone over to make money if they can't make money already.

      By selling the data to A) "Law enforcement / Three Letter Agencies; and / or B) the AI companies...

  • (Score: 2) by Username on Monday October 28, @01:49PM

    by Username (4557) on Monday October 28, @01:49PM (#1379073)

    Again, selling info to your customers isn't a breach. Just like how facebook had RNC NGOs as a customers wasn't a breach either.

  • (Score: 5, Insightful) by Ingar on Monday October 28, @02:00PM

    by Ingar (801) on Monday October 28, @02:00PM (#1379074) Homepage Journal

    What this might mean for its vast stores of genetic data is unclear.

    They will be sold at a discount.

    --
    Understanding is a three-edged sword: your side, their side, and the truth.
  • (Score: 2) by linkdude64 on Tuesday October 29, @07:27AM (1 child)

    by linkdude64 (5482) on Tuesday October 29, @07:27AM (#1379206)

    [The Tyranid Hive Mind would like to know your location]

    • (Score: 2) by looorg on Tuesday October 29, @10:58AM

      by looorg (578) on Tuesday October 29, @10:58AM (#1379217)

      Wojcicki does look a bit like a genestealer, perhaps there is cult activity in the works. Where is the Inquisition when you need them ...

(1)