Millions of people’s DNA up for sale after business collapses – what does this mean for your data?
Millions of people’s DNA records are up for sale after a major home-testing company declared bankruptcy.
23andMe saw its chief executive step down and more than 15 million people’s data put up for sale after struggling with weak demand for its ancestry testing kits and a 2023 data breach that damaged its reputation.
Announcing the move, the company said that data privacy would be an “important consideration” but that the goal was to “maximise the value of its assets”.
So what does that mean for your data?
Cybersecurity expert Ross Brewer from security firm Graylog told Money the company’s collapse could see customer data ending up on the dark web, placing them at risk of serious financial harm.
“Access to users’ family tree information can allow human scammers and bots at scam farms and call centres to send more personalised messages, or more convincing fraudulent emails designed to persuade people to reveal sensitive information or install malware on their devices,” he explained.
“For example, through accessing personal names and genetic details, scammers could more easily convince a target that they are a family member, or know them or their family.”
Individuals’ password information may also be compromised, leading to an increased risk of accounts being taken over, and further breaches taking place, he said.
“If cybercriminals have managed to compromise your passwords at 23andMe, they can potentially also access other accounts with the same password, such as utilities and banking, to cause more damage. They may even be able to access corporate accounts with the same password, causing a business risk.”
This DNA information is also highly attractive to insurance companies, who could step in and buy these assets to collect family data and improve risk profiling to then change an individual’s premium and cover accordingly.
What can you do to protect yourself?
“UK customers should employ good password hygiene,” Brewer said, which means changing any that are the same as your 23andMe account immediately.
He also suggested using two factor authentication where possible.
“Be cautious and suspicious of activity that may result from a threat actor trying to impersonate you by stealing your identity, especially accounts related to health insurance, banking or other sensitive areas,” he added.
Brewer said that it was not just private individuals but companies that needed to “fortify their defences” to thwart potential attacks within their systems.
“This requires that organisations focus on basic cybersecurity hygiene best practices and ensure they are monitoring their normal user activity so they can look for abnormalities as impersonators leverage their stolen data.”