23andMe Data Scraping Incident Raises Concerns Over Genetic Privacy

Last Friday, 23andMe confirmed unsettling news: private data for some of its users is currently up for sale. This confirmation came five days after an unknown entity advertised the sale of millions of 23andMe users’ private information on an online crime forum. While the forum posts claimed to include everything from origin estimations to health records, 23andMe argues that these are “unsubstantiated claims at this point.”

According to officials from 23andMe, the data was scraped, a technique that systematically extracts smaller amounts of information to reassemble a large amount of data. The attackers gained unauthorized access to individual 23andMe accounts through the DNA Relative feature, which allows users to find potential relatives by opting in to share certain data.

This incident reminds us of the risks involved in storing genetic data online. Even though companies like 23andMe advise strong passwords and two-factor authentication, scraping incidents like this prove that these safeguards may not be enough. In 2018, MyHeritage faced a similar crisis, where data for more than 92 million users was compromised.

While there are obvious benefits to using genealogy services for tracing heritage and locating relatives, the privacy risks are real. Law enforcement in California, for example, used a different genealogy site, GEDMatch, to track down a suspect in a 40-year-old murder case. The suspect had never submitted a DNA sample, but a related GEDMatch user’s data provided the necessary match.

The data scraping incident at 23andMe emphasizes the persistent vulnerabilities in storing genetic data online.