23andme…and you….and some relatives….

[Omega Man]

Unfortunately, the 23andme has been hacked. What this means for those involved, past disappointment, is yet to be determined.
From CNN-

(CNN)
—
A hacker or hackers have accessed nearly seven million profiles of 23andMe customers, a spokesperson for the genetic testing firm told CNN on Tuesday, including in some cases users’ ancestry reports, zip codes and birth years.

A Friday filing from 23andMe to the Securities and Exchange Commission said that about 0.1% of the company’s user accounts, or roughly 14,000, had their accounts breached by the hackers.

23andMe is standing by that number but is also now telling reporters that the hackers were able to access some 5.5 million profiles that use a company feature called DNA Relatives that allows users to find genetic relatives. In addition, the hackers accessed a subset of family tree information on 1.4 million DNA Relatives profiles, the 23andMe spokesperson said in an emailed statement.

Full CNN story here- https://www.cnn.com/2023/12/05/tech/hackers-access-7-million-23andme-profiles/index.html

From what I have read, this genetic testing has a fairly large following, from the inquisitive to the possible health benefits.

Be careful out there.

OM

 

[brownie0486]

I'm not about to have my dna in a database somewhere, and this is report is one of the reasons.

Gov can access all those records if they choose to. Hell, they could hack it themselves for that matter. Years down the road, and it may be a shorter road than we might expect, gov could find who's not been vaxed and has, and deny services/social security etc unless you comply with their wishes of everyone gets vaxed.

That's just one example. Here's another--- you have something in your blood that predisposes you to some form of cancer. Ins Co's decide you're a high risk and deny health or life insurance.

The less gov knows about me, the better.

 

[Omega Man]

This was posted as a PSA (public service announcement). Understanding political considerations here on the forum, let’s let this inform those that have been using 23andme like the Ancestry platform consider any ramifications from the breach and not political possibilities.
TIA

OM

 

[20774]

Key piece of info from the article:

In the case of 23andMe, the hackers reused old usernames and passwords from other websites to break into 23andMe customer accounts — a rudimentary but effective technique called credential stuffing.

Pretty much a no-no when it comes to anything online.

 

[cajunrider]

I'm not about to have my dna in a database somewhere, and this is report is one of the reasons.

Gov can access all those records if they choose to. Hell, they could hack it themselves for that matter. Years down the road, and it may be a shorter road than we might expect, gov could find who's not been vaxed and has, and deny services/social security etc unless you comply with their wishes of everyone gets vaxed.

That's just one example. Here's another--- you have something in your blood that predisposes you to some form of cancer. Ins Co's decide you're a high risk and deny health or life insurance.

The less gov knows about me, the better.

Unfortunately, my friend, I believe it's too late. You probably already are in several databases. The best you can hope for is that a lot of your info is still blank... and that's only if you stay off social media of any kind (forums like this one).

 

[kbasa]

Lesson: Enable two factor authentication on as many of your accounts as you can so that user ID and PW won't be sufficient to gain access to your accounts.

If you use tools like Okta or any other auth(0) style tool, that's a huge step up in security. If you use Apple OS or iOS, they check your passwords and will tell you which of your passwords is at high risk or has been found in a data leak so you can proactively change them before you lose control of your account.

Don't just click through those warnings. The OS is showing you exactly where your potential breach may occur.

 

[kbasa]

Unfortunately, my friend, I believe it's too late. You probably already are in several databases. The best you can hope for is that a lot of your info is still blank... and that's only if you stay off social media of any kind (forums like this one).

You have a driver's license. You have an address. You probably have a phone, a driver's license, some bikes, an energy provider account, an ISP provides your internet, you pay your taxes, you have an account with say, Max BMW, etc. You are likely in dozens of databases, including the MOA's membership database, if you're operating in the modern world in any fashion.

Your potential breach won't come from your social media account. It'll come from the stale password one's been using on all their accounts that they never got around to updating. They might get phished and punch their credentials into a fake Amazon account interface. You might get spear phished where someone calls you purporting to be from your bank and gets you to provide account information. You might download and open that sketchy attachment that installs a keystroke logger or monitoring software on your device.

Someone called my wife representing themselves as being from my wife's employer - our bank. They were trying to glean information about us from her and when she asked which cost center the caller was in and what organization she was in at the bank, the woman hung up. Prior to that, it was a very well executed spear phish. But she knew enough to check because she's a data professional.

Those are your exposure points, speaking as a data professional that answers security questions on RFPs and RFIs. It will likely not be due to you being in some client database somewhere.

Strong passwords should be your norm, in conjunction with multi factor authentication that asks for one of the holy trinity: something you are (biometric), something you know (your favorite artichoke topping) or something you have (a device like an RSA token). These should be part of your data hygiene if you want your highest ability to stay secure.

Stay safe, folks. It's a bit to get that going, but once rolling, you'll be as safe as you can reasonably be against unwanted exposure of your personal data.

 

[brownie0486]

Unfortunately, my friend, I believe it's too late. You probably already are in several databases. The best you can hope for is that a lot of your info is still blank... and that's only if you stay off social media of any kind (forums like this one).

No one has my dna on file in any database anywhere. Of course, if you've used such service as 23/me, you're in a database that can be used by the gov in many ways in the future.

Yes, I'm in the f b i's national database as well as two states f b i files. Nature of the work back in the day. I'm in other databases as well, but no one had my dna on file.

And it's going to stay that way. One day, people with dna on file may be denied medical services if they haven't followed the govs "suggestion" on vaccines to name one of the biggest concerns which reared it's ugly head during the pandemic a few years back. People who couldn't verify they had the shot were denied all types of services.

And to just add the above. This isn't a political post, it's a real world concern to have your dna in a database that can be accessed by court order or by hacking the database themselves. The risk doesn't come close to the reward of finding long dead relatives.

 

[kbasa]

No one has my dna on file in any database anywhere. Of course, if you've used such service as 23/me, you're in a database that can be used by the gov in many ways in the future.

Yes, I'm in the f b i's national database as well as two states f b i files. Nature of the work back in the day. I'm in other databases as well, but no one had my dna on file.

And it's going to stay that way. One day, people with dna on file may be denied medical services if they haven't followed the govs "suggestion" on vaccines to name one of the biggest concerns which reared it's ugly head during the pandemic a few years back. People who couldn't verify they had the shot were denied all types of services.

And to just add the above. This isn't a political post, it's a real world concern to have your dna in a database that can be accessed by court order or by hacking the database themselves. The risk doesn't come close to the reward of finding long dead relatives.

There are some legal structures that make it very, very difficult for an entity to gain access to this kind of information. First off, law enforcement needs a warrant to collect information from an entity, so it's going to have to get past a judge and show reasonable cause and specify exactly what they hope to collect. If I recall, you were an LEO, so you know about warrants and how they usually have a limited scope. I deal with data collection in litigation and the collection instructions are very, very precise and specific.

The other part can depend on where you live. If you live in Europe, the GDPA will prevent entities from releasing your information without your approval. Same in California, where we have the CCPA which allows similar abilities on the part of us who have data stored in the cloud. Depending on your locale and how they treat data privacy, you may have more or less protection. If you don't have something like the CCPA or GDPR in your area, this is something your legislators should be paying attention to. Here in CA, commercial entities are not allowed to collect or use my information without my consent and if they do, I can file a DSAR request and they will have to provide full detail about who and why they've shared my data. IMHO, ALL Americans should have this protection, but we're not there yet.

Finally we have laws regulating the distribution of personal health information, such as your vax status, your health history and the like. You may have noticed that you can't just swap emails or texts with your doctor or health provider unless you do it inside their secured comm channels. HIPPA is a big deal and it is a huge barrier to having your health information discovered and used without your consent.

We should be careful with this kind of language and not overstate nor understate the concerns. A private entity that's doing DNA analysis is not a source that "the gov" can touch without your consent. From the 23 and Me data protection page: We will not release any individual-level personal information to law enforcement without your explicit consent unless required by law. We closely scrutinize all law enforcement requests, and we will only comply with court orders, subpoenas, search warrants or other requests that we determine are legally valid.

I'd assume you've had experience with warrants and the boundaries around warrants in the course of your career. They are no different than any other entity housing evidence and the laws are the same. Probable cause, what you believe will be discovered courtesy of the warrant, as well as boundaries about what can be used in court.

I hope that's helpful. There's a lot of fear, uncertainty and doubt about data protection, so I hope that was illustrative and eases some of your concerns.

 

[83014]

There are some legal structures that make it very, very difficult for an entity to gain access to this kind of information. First off, law enforcement needs a warrant to collect information from an entity, so it's going to have to get past a judge and show reasonable cause and specify exactly what they hope to collect. If I recall, you were an LEO, so you know about warrants and how they usually have a limited scope. I deal with data collection in litigation and the collection instructions are very, very precise and specific.

The other part can depend on where you live. If you live in Europe, the GDPA will prevent entities from releasing your information without your approval. Same in California, where we have the CCPA which allows similar abilities on the part of us who have data stored in the cloud. Depending on your locale and how they treat data privacy, you may have more or less protection. If you don't have something like the CCPA or GDPR in your area, this is something your legislators should be paying attention to. Here in CA, commercial entities are not allowed to collect or use my information without my consent and if they do, I can file a DSAR request and they will have to provide full detail about who and why they've shared my data. IMHO, ALL Americans should have this protection, but we're not there yet.

Finally we have laws regulating the distribution of personal health information, such as your vax status, your health history and the like. You may have noticed that you can't just swap emails or texts with your doctor or health provider unless you do it inside their secured comm channels. HIPPA is a big deal and it is a huge barrier to having your health information discovered and used without your consent.

We should be careful with this kind of language and not overstate nor understate the concerns. A private entity that's doing DNA analysis is not a source that "the gov" can touch without your consent. From the 23 and Me data protection page: We will not release any individual-level personal information to law enforcement without your explicit consent unless required by law. We closely scrutinize all law enforcement requests, and we will only comply with court orders, subpoenas, search warrants or other requests that we determine are legally valid.

I'd assume you've had experience with warrants and the boundaries around warrants in the course of your career. They are no different than any other entity housing evidence and the laws are the same. Probable cause, what you believe will be discovered courtesy of the warrant, as well as boundaries about what can be used in court.

I hope that's helpful. There's a lot of fear, uncertainty and doubt about data protection, so I hope that was illustrative and eases some of your concerns.

My concern is that if the bad guys have your account access information, they can impersonate you and divulge whatever information that you, as the account holder have. The concern isn’t about legal access with warrants, but improper use of your very personal data.

Doug

 

[kbasa]

My concern is that if the bad guys have your account access information, they can impersonate you and divulge whatever information that you, as the account holder have. The concern isn’t about legal access with warrants, but improper use of your very personal data.

Doug

Totally agree with you. I'm not worried about the government accessing my data because there are significant legal barriers to doing so, all of which require probable cause at minimum and in other situations, the consumer may have full control.

It's important to take the time to read the data privacy and data use clauses when you're clicking through those "Term of Use" statements. They are legally binding and may allow other entities access to your data.

That's tedious and kind of a barrier, but it's another tool in your kit to ensure your data stays your data. I use tools like Apple's Private Relay to ensure that my true email address isn't revealed to other entities.

I'm not afraid of government intrusion into my data given the current laws, but I am concerned about data leakage in a breach by nefarious actors, for example. So I've taken steps to reduce the potential for someone to "impersonate" me. Strong passwords, Private Relay, 2 Factor Authentication, especially with biometric validation that's impossible or close enough to impossible to spoof.

 

[brownie0486]

Totally agree with you. I'm not worried about the government accessing my data because there are significant legal barriers to doing so, all of which require probable cause at minimum and in other situations, the consumer may have full control.

It's important to take the time to read the data privacy and data use clauses when you're clicking through those "Term of Use" statements. They are legally binding and may allow other entities access to your data.

That's tedious and kind of a barrier, but it's another tool in your kit to ensure your data stays your data. I use tools like Apple's Private Relay to ensure that my true email address isn't revealed to other entities.

I'm not afraid of government intrusion into my data given the current laws, but I am concerned about data leakage in a breach by nefarious actors, for example. So I've taken steps to reduce the potential for someone to "impersonate" me. Strong passwords, Private Relay, 2 Factor Authentication, especially with biometric validation that's impossible or close enough to impossible to spoof.

Based on past experience with gov types along with numerous examples of uncle doing whatever they feel like it with no repercussions, I'll not trust the legal system to keep them out of my life.

 

[pglaves]

Let me be a little ambiguous. If a person has a family history of certain illnesses or conditions a DNA analysis might be useful - maybe even life saving. If a person is adopted (I was, essentially at birth - 6 weeks old actually) there might be reasons to want to understand a person's biological heritage and/or living relatives. My adopted sister, also adopted essentially at birth, did that and found her bio-sisters and brothers. I wasn't curious enough to do so - yet anyway. At 78 the odds are pretty good I would not find bio-mom or bio-dad still alive in any event.

My point: There are valid reasons to explore ancestry and DNA beyond wondering if I really am part indigenous American, or Italian or Norwegian or partly Congolese. As often in life, one persons fervently held misconception might not apply to everybody else.

 

[rhbike]

There are some legal structures that make it very, very difficult for an entity to gain access to this kind of information. First off, law enforcement needs a warrant to collect information from an entity, so it's going to have to get past a judge and show reasonable cause and specify exactly what they hope to collect. If I recall, you were an LEO, so you know about warrants and how they usually have a limited scope. I deal with data collection in litigation and the collection instructions are very, very precise and specific.

The other part can depend on where you live. If you live in Europe, the GDPA will prevent entities from releasing your information without your approval. Same in California, where we have the CCPA which allows similar abilities on the part of us who have data stored in the cloud. Depending on your locale and how they treat data privacy, you may have more or less protection. If you don't have something like the CCPA or GDPR in your area, this is something your legislators should be paying attention to. Here in CA, commercial entities are not allowed to collect or use my information without my consent and if they do, I can file a DSAR request and they will have to provide full detail about who and why they've shared my data. IMHO, ALL Americans should have this protection, but we're not there yet.

Finally we have laws regulating the distribution of personal health information, such as your vax status, your health history and the like. You may have noticed that you can't just swap emails or texts with your doctor or health provider unless you do it inside their secured comm channels. HIPPA is a big deal and it is a huge barrier to having your health information discovered and used without your consent.

We should be careful with this kind of language and not overstate nor understate the concerns. A private entity that's doing DNA analysis is not a source that "the gov" can touch without your consent. From the 23 and Me data protection page: We will not release any individual-level personal information to law enforcement without your explicit consent unless required by law. We closely scrutinize all law enforcement requests, and we will only comply with court orders, subpoenas, search warrants or other requests that we determine are legally valid.

I'd assume you've had experience with warrants and the boundaries around warrants in the course of your career. They are no different than any other entity housing evidence and the laws are the same. Probable cause, what you believe will be discovered courtesy of the warrant, as well as boundaries about what can be used in court.

I hope that's helpful. There's a lot of fear, uncertainty and doubt about data protection, so I hope that was illustrative and eases some of your concerns.

The issue isn't as much what those following the rules could do with such personal information or if they are allowed to access it. The issue is what hackers or others who don't intend to follow the rules can do with such personal information. Massive data breaches occur on a daily basis, providing more than ample info for bad actors to impersonate or take over our identity. Many times they are exploiting our own stupidity, but many other times they are exploiting others mistakes. Do you want to give hackers potential access to DNA info too?

 

[kbasa]

The issue isn't as much what those following the rules could do with such personal information or if they are allowed to access it. The issue is what hackers or others who don't intend to follow the rules can do with such personal information. Massive data breaches occur on a daily basis, providing more than ample info for bad actors to impersonate or take over our identity. Many times they are exploiting our own stupidity, but many other times they are exploiting others mistakes. Do you want to give hackers potential access to DNA info too?

I agree with you about improper use by the gov. We also have an increasingly strong set of laws that help protect our data from misuse by both government agencies and private enterprise.

For nefarious access, we definitely want to use all the security tools we have available to prevent that. I'm not sure whether I want to have the DNA test for Ancestry. Seriously. I've been vacillating on it for two years at least while it sits on my desk because it'd help potentially help me solve a family mystery: who is my mom's father? But I'm also compulsive about my data and security hygiene, hence my indecision..

So, the DNA thing is going to be a personal decision, but we should do everything we can to harden our accounts to prevent access by intruders and we should continue to demand that data protection laws are enacted that give us something they have in the EU courtesy of the GDPR: the right to be forgotten by those who hold our data, as well as the ability to know, specifically, who has access to our data, who "processes" our data and ultimately, where it's held and how it's managed.

Great comment. Thanks.

 

[20774]

because it'd help potentially help me solve a family mystery: who is my mom's father?

Not sure what you've been doing with ancestry investigations, but DNA is not the first thing to do. First thing is to use a good online program and enter the information that you know of. Then usually, that "great computer in the sky" begins to suggest new info which you can vet in a variety of ways. If you have no idea of your family or like Paul said are adopted, then DNA becomes something that can help.

 

[kbasa]

Not sure what you've been doing with ancestry investigations, but DNA is not the first thing to do. First thing is to use a good online program and enter the information that you know of. Then usually, that "great computer in the sky" begins to suggest new info which you can vet in a variety of ways. If you have no idea of your family or like Paul said are adopted, then DNA becomes something that can help.

I've been on it a few years and have extensively investigated who my grandfather was. At this point, I've been unable to surface birth records or much else.

The recommendation or "hint" engine is really, really good and I was able to trace my Dutch family back to the 1600s, my Irish heritage back to the early 1700s and have a pretty good accounting of our growth here in the states, but there's that missing piece that might be solved by DNA analysis.

Like I said, i've been vacillating on the DNA thing. On one hand, I'd like to know. On other hand, I'd like to protect my DNA information from potential misuse.

 

[Omega Man]

All this makes me wonder what people do when they are involved in a medical data breech?

Does, with all the private information floating around, it remain a big deal?

Has something like the offer of credit monitoring help?

How much does a breech increase one’s odds of identity theft?

Is a breach and release of sensitive, personal information in this day in age inevitable?

How is “personal” damage resolved?

Is the “in-trusted” company liable for the release?

OM

 

[kbasa]

All this makes me wonder what people do when they are involved in a medical data breech?

Does, with all the private information floating around, it remain a big deal?

Has something like the offer of credit monitoring help?

How much does a breech increase one’s odds of identity theft?

Is a breach and release of sensitive, personal information in this day in age inevitable?

How is “personal” damage resolved?

Is the “in-trusted” company liable for the release?

OM

Breaches are generally intended to collect commercially valuable information. User names and what we cal “PII”: personally identifying information. They don’t care about your lab results, they want the factors that will confirm an identity to gain access to your financial resources.

“PHI” is personal health information and its distribution and dissemination is controlled by HIPAA, including required security for transmission. For example, if I communicate with my doctor it has to be through a secured messaging system, not unencrypted email. My providers have an app that allows me to acccess my info, but no general web page.

In the US, the possessor of such information is entrusted with and is required to treat the information accordin* to regulations that cover things like encryption, access and storage, as well as prescribed access controls and systems.

If there is a breach, entities that hold, control, manage and “process” PII are required to provide notice to people that have had their data breached, along with a description of what information has been released.

Prior to a breach, most entities that possess your PII are obligated to share with you the data they have about you. A DSAR may be filed and you may request any information a company holds about you. The laws vary by state, but more states are adding these protections. As a data professional, I can tell you that the US offers weak protection in most jurisdictions. Some states like CA, UT and VA have enacted data governance and protection laws that approach the EU’s GDPR, but some are closer than others. We have some national laws, but imho they’re weak and don’t protect the consumer. Most states have no laws at all and entities may do whatever they wish with your data, including selling it without your knowledge or approval.

Here’s the thing, if your data is out there, the damage is done. You may get a Class Action Notice if your data has been breached and a settlement reached. File for it and “join the class”. You will be joined as a plaintiff and you will get paid. If there is no class of plaintiffs formed, talk with a plaintiff firm. They may be interested in forming a class and will fund the complaint and suit in a contingency arrangement.

But mostly, we need laws that regulate who may collect, process, manage and sell our PII. We are way behind in these protections as a nation.

Credit reporting is provided so you can make sure you’re proactive on misuse of your information and respond in a timely way, while it can be remediated.

Finally, I’ve talked about “two factor authentication” as being crucial to your security. Set it up on your accounts if it’s offered. Even if someone gets you password, they’ll be missing the mechanism to respond and confirm they’re a valid user. It could be a confirmation code like Okta, it could be a biometric response, like FaceId or you thumbprint, or an answer to a question only you know the answer to.

If you have this 2FA in place, your accounts will be as secure as we can make them. If someone gets into your email, they can assume your identity easily, Sood start there. Use it on eBay, PayPal, etc. as well if it’s offered.

We have rights as citizens and consumers to know how our data is used, who uses it and what they do with it, but it varies by state, so know your rights and you’ll know how to respond to a breach.

I hope that’s helpful.

 

[Omega Man]

Breaches are generally intended to collect commercially valuable information. User names and what we cal “PII”: personally identifying information. They don’t care about your lab results, they want the factors that will confirm an identity to gain access to your financial resources.

“PHI” is personal health information and its distribution and dissemination is controlled by HIPAA, including required security for transmission. For example, if I communicate with my doctor it has to be through a secured messaging system, not unencrypted email. My providers have an app that allows me to acccess my info, but no general web page.

In the US, the possessor of such information is entrusted with and is required to treat the information accordin* to regulations that cover things like encryption, access and storage, as well as prescribed access controls and systems.

If there is a breach, entities that hold, control, manage and “process” PII are required to provide notice to people that have had their data breached, along with a description of what information has been released.

Prior to a breach, most entities that possess your PII are obligated to share with you the data they have about you. A DSAR may be filed and you may request any information a company holds about you. The laws vary by state, but more states are adding these protections. As a data professional, I can tell you that the US offers weak protection in most jurisdictions. Some states like CA, UT and VA have enacted data governance and protection laws that approach the EU’s GDPR, but some are closer than others. We have some national laws, but imho they’re weak and don’t protect the consumer. Most states have no laws at all and entities may do whatever they wish with your data, including selling it without your knowledge or approval.

Here’s the thing, if your data is out there, the damage is done. You may get a Class Action Notice if your data has been breached and a settlement reached. File for it and “join the class”. You will be joined as a plaintiff and you will get paid. If there is no class of plaintiffs formed, talk with a plaintiff firm. They may be interested in forming a class and will fund the complaint and suit in a contingency arrangement.

But mostly, we need laws that regulate who may collect, process, manage and sell our PII. We are way behind in these protections as a nation.

Credit reporting is provided so you can make sure you’re proactive on misuse of your information and respond in a timely way, while it can be remediated.

Finally, I’ve talked about “two factor authentication” as being crucial to your security. Set it up on your accounts if it’s offered. Even if someone gets you password, they’ll be missing the mechanism to respond and confirm they’re a valid user. It could be a confirmation code like Okta, it could be a biometric response, like FaceId or you thumbprint, or an answer to a question only you know the answer to.

If you have this 2FA in place, your accounts will be as secure as we can make them. If someone gets into your email, they can assume your identity easily, Sood start there. Use it on eBay, PayPal, etc. as well if it’s offered.

We have rights as citizens and consumers to know how our data is used, who uses it and what they do with it, but it varies by state, so know your rights and you’ll know how to respond to a breach.

I hope that’s helpful.

All that makes sense.
I wonder if approaching all three credit reporting agencies and posting (with them) all your important information is a good thing?
Seems like the credit reporting agencies, knowing that they have ALL the important information, would be a prime, consistent target for hackers?

OM