Too late? And the companies that pop up to take their place won't have had at least one of their security holes demonstrated so that it can then be plugged.
I was under the impression that no DNA data was hacked. That what was hacked is just a bit more than a hacker would get from hacking Ancestry.com's database of family trees.
But you hardly need a DNA database for that? Usually the type of identities that are discriminated against are pretty clear from the outset.
Even the Nazis and their Rassenkunde bollocks was more post-hoc window-dressing rationale than anything else – they really didn't need that to tell who the Jews, Slavs, Roma, etc. were. This is usually the pattern: "I want to discriminate against $group for $emotional reasons, and I can't really articulate why, so let me find $facts to support my $case".
And look, if you want to keep it private then you should of course keep it private, and if 23andme promises to keep it private then you have every right to keep them to their promise. Privacy is fundamentally about choice, and those choices will be different for everyone and I'm not here to judge anyone's choices. But personally, I think the abuse for DNA data is actually quite small, almost non-existent.
DNA analysis can be used to profile you. Health risks, ancestry, genetic conditions. This could be used to deny insurance coverages and employment opportunities due to perceived health risks.
DNA analysis is rapidly evolving to extract more information than you might initially assume. We don't know how much or how accurately DNA can be used do infer your preferences, moral instincts, aggressive tendencies, intelligence, propensity to fall victim of a scam, to become addicted, to act violently, etc.
DNA also provides insights into the genetic makeup of family members, which can face the same problems.
This article seems like a breathless rant. He didn't even take the time to explain what I interpret to be the meaning of his incendiary title, which is that DNA companies who get hacked should be dissolved, or punitively fined to the extent that they can no longer function. Because, of course, you can't literally kill a company. I don't support the death penalty for flesh and blood people, but I'd be fine with it for corporations in certain cases. I'm not sure I agree that it should always happen in the case of a hack; the risk of an intrusion can never be eliminated, only mitigated, so a blanket "off with their heads" rule for any hack seems rather blunt and unnecessary: you'd guillotine any theoretical responsible companies who happened to be targeted by determined actors. Case by case executions perhaps?
One thing I'd very much like to see here is transparency. The author of this article seems to assume the worst. I don't know if that's a reasonable assumption, but "assumptions" is all we can go on right now.
23andme claims "re-used passwords". We just have to take them at their word for this. I don't think they're outright lying, but you can misrepresent things without strictly telling falsehoods.
But if we take them at their word, there's a huge amount of nuance there too – are we talking about a large and advanced botnet or just ten IPs that accessed those millions of accounts? The first might be very hard to protect against, the second would raise a lot more eyebrows. What kind of security measures do they have? Things like that.
Right now, all I can really do is ... shrug. Because I just don't have enough information to judge one way or the other.
And it would improve security, because forced airing of your dirty laundry is a good motivation for going to the laundrette.
In the end this would benefit everyone, including the companies themselves.
23andme is a public company and seems to already be headed towards bankruptcy. Their share price has fallen by 93% since going public, and they’re burning something like $400m per year on $240m of revenue. I wonder if this incident will be the nail in the coffin.
No company will avoid being hacked. If you don't want your info leaked, don't share it. The more sensitive it is, the more you should think twice.
It may be a couple years yet until the big teleheath hacks come out, and you discover all those private disclosures are sold for pennies on the dark market, or just leveraged by adversaries.
That's part of it. I know I'm in there even though I haven't signed up for it. Like Clearview will know me everywhere because somebody's put up photos on FB with me in them somewhere.
Your biometrics, including your DNA, are not sensitive or private.
You leave your DNA at every restaurant you visit, and you display your biometrics in every public place. They are not remotely secret or private or sensitive.
While DNA is left behind, I have yet to see a waitress run to the back with a sample, and run it through DNA marker identification.
This also assumes it's a clean sample and not contaminated with all the other DNA present, simple dust, residue on the surface of whatever the DNA was pulled from and/or whatever.
I'm not saying it's not possible, I'm saying that it's very, very, very unlikely, at least for mortals.
Source: I worked in 2 labs, one of which did genetic testing.
Note: I'm IT, not science, so I was the person that setup the reporting triggers, output, input, etc. I do know something about taking samples and swiping them from a glass isn't the typical way, for many, many reasons.
The association between your DNA and your name and contact details IS both sensitive and private though. Let's not be disingenuous: the dna companies don't just store dna snapshots. they store it along with a bunch of other data, ant this becomes problematic.
100% with you on this. Sec has to get it right, every. single. time. and that's not realistic. No one gets it right every single time. I'm not even getting into 0day and similar.
However, companies that are callous with your data and their own sec, like Equifax was, should suffer more than the current fine of a nickel, then it's on to BONUSES, with no other repercussions.
Lastly, according to the horrifically bad CU ruling, corps are practically humans, in every sense that gains them an advantage, but somehow magically immune in situations where they might find the slightest difficulty.
True. However, their abdication of responsibility is indicative of a lack of a security culture. It's hard to say that they were more or less negligent than Equifax, but both data sets should have been Highly secure.
It's also interesting that outside of the US their lack of security would open them to criminal liabilities under GDPR.
"Our anonymous sequencing service enables our users to sign up, submit their samples, and receive their genetic reports without ever personally identifying themselves."
It doesn’t matter whether you share it or not, the DNA of a close relative can be used to figure out your own DNA. I don’t know how the actual technique really works, but I know it’s possible and it was used to catch the golden state killer.
For obvious reasons you don't want your personal financial info publicly known.
But can someone explain to me the actual or potential harm done here with DNA information?
The only thing remotely potentially harmful could be for denial of life or long-term health insurance (in the US at least.) However, I am unaware of any cases where a relative's genetic test caused denial of coverage. And I am highly doubtful that test results obtained illegally can be used for this purpose.
33 comments
[ 2.8 ms ] story [ 80.9 ms ] threadI was under the impression that no DNA data was hacked. That what was hacked is just a bit more than a hacker would get from hacking Ancestry.com's database of family trees.
Re public info: Do you mean via birth certificates?
Even if vaguely possible it will kill much of your extended family too.
I agree with you on biological being the attack vector is very unlikely, at least, at this point.
Also, if someone doesn't like X people enough to randomly murder people, I don't think they're too worried about splicing around DNA.
Just silly.
https://portal.ct.gov/AG/Press-Releases/2023-Press-Releases/...
Excerpt: The threat actor has posted sample data indicating the attack was targeted at account holders with Ashkenazi Jewish and Chinese heritage.
I'm pretty sure they don't care about your genetic estimation if you're Jewish.
Keep in mind, you can't just look at most people and know their religion or racial makeup.
Even the Nazis and their Rassenkunde bollocks was more post-hoc window-dressing rationale than anything else – they really didn't need that to tell who the Jews, Slavs, Roma, etc. were. This is usually the pattern: "I want to discriminate against $group for $emotional reasons, and I can't really articulate why, so let me find $facts to support my $case".
And look, if you want to keep it private then you should of course keep it private, and if 23andme promises to keep it private then you have every right to keep them to their promise. Privacy is fundamentally about choice, and those choices will be different for everyone and I'm not here to judge anyone's choices. But personally, I think the abuse for DNA data is actually quite small, almost non-existent.
DNA analysis is rapidly evolving to extract more information than you might initially assume. We don't know how much or how accurately DNA can be used do infer your preferences, moral instincts, aggressive tendencies, intelligence, propensity to fall victim of a scam, to become addicted, to act violently, etc.
DNA also provides insights into the genetic makeup of family members, which can face the same problems.
23andme claims "re-used passwords". We just have to take them at their word for this. I don't think they're outright lying, but you can misrepresent things without strictly telling falsehoods.
But if we take them at their word, there's a huge amount of nuance there too – are we talking about a large and advanced botnet or just ten IPs that accessed those millions of accounts? The first might be very hard to protect against, the second would raise a lot more eyebrows. What kind of security measures do they have? Things like that.
Right now, all I can really do is ... shrug. Because I just don't have enough information to judge one way or the other.
And it would improve security, because forced airing of your dirty laundry is a good motivation for going to the laundrette.
In the end this would benefit everyone, including the companies themselves.
In which case their IP (everyone's genetic data) goes on the auction block to pay the exorbitant fines.
How could that possibly go wrong?
It may be a couple years yet until the big teleheath hacks come out, and you discover all those private disclosures are sold for pennies on the dark market, or just leveraged by adversaries.
You leave your DNA at every restaurant you visit, and you display your biometrics in every public place. They are not remotely secret or private or sensitive.
This also assumes it's a clean sample and not contaminated with all the other DNA present, simple dust, residue on the surface of whatever the DNA was pulled from and/or whatever.
I'm not saying it's not possible, I'm saying that it's very, very, very unlikely, at least for mortals.
Source: I worked in 2 labs, one of which did genetic testing. Note: I'm IT, not science, so I was the person that setup the reporting triggers, output, input, etc. I do know something about taking samples and swiping them from a glass isn't the typical way, for many, many reasons.
100% with you on this. Sec has to get it right, every. single. time. and that's not realistic. No one gets it right every single time. I'm not even getting into 0day and similar.
However, companies that are callous with your data and their own sec, like Equifax was, should suffer more than the current fine of a nickel, then it's on to BONUSES, with no other repercussions.
Lastly, according to the horrifically bad CU ruling, corps are practically humans, in every sense that gains them an advantage, but somehow magically immune in situations where they might find the slightest difficulty.
It's also interesting that outside of the US their lack of security would open them to criminal liabilities under GDPR.
23 was cred stuffed, which is still not good, but not the same level of negligence.
US laws are a sad tragedy of the rich fucking the not rich harder and harder and harder every decade.
"Our anonymous sequencing service enables our users to sign up, submit their samples, and receive their genetic reports without ever personally identifying themselves."
But if your information is stored in a database of a large entity, chances are it will spill out at some point. This is especially true in healthcare.
23andMe confirms hackers stole ancestry data on 6.9M users - https://news.ycombinator.com/item?id=38527965 - Dec 2023 (297 comments)
23andMe hackers accessed a whole lot of personal data - https://news.ycombinator.com/item?id=38519466 - Dec 2023 (36 comments)
Hacker leaks millions more 23andMe user records on cybercrime forum - https://news.ycombinator.com/item?id=37931383 - Oct 2023 (394 comments)
23andMe Sued over Hack of Genetic Data Affecting Thousands - https://news.ycombinator.com/item?id=37895586 - Oct 2023 (20 comments)
23andMe Accounts Hijacked and Data Put Up for Sale on Hacker Forum - https://news.ycombinator.com/item?id=37810755 - Oct 2023 (2 comments)
23andMe says user data stolen in credential stuffing attack - https://news.ycombinator.com/item?id=37794379 - Oct 2023 (298 comments)
For obvious reasons you don't want your personal financial info publicly known.
But can someone explain to me the actual or potential harm done here with DNA information?
The only thing remotely potentially harmful could be for denial of life or long-term health insurance (in the US at least.) However, I am unaware of any cases where a relative's genetic test caused denial of coverage. And I am highly doubtful that test results obtained illegally can be used for this purpose.
Note that health insurance discrimination (again, in the US, where we have such afflictions) based on the outcome of a genetic test is outlawed https://www.eeoc.gov/laws/guidance/fact-sheet-genetic-inform...
And we all know you don't need a fancy genetic test to discriminate...