Hackers stole a million people’s DNA. What they’ll do with it is baffling
In light of recent world events, a cyber attack at DNA testing firm 23andMe earlier this month didn’t make many headlines.
The popular company provides users with a comprehensive ancestry breakdown based on their DNA and, according to the leaked data, its customers include Elon Musk and Mark Zuckerberg – although this has not been verified.
The data breach was not a hack of company systems, but a mass targeting of individual users, in what is known as a ‘credential stuffing’ attack. This is where hackers test usernames and passwords from previous hacks to see if people are using the same details.
It is the digital equivalent of opportunistic burglars trying all the doors on a street.
Such hacks are not uncommon, but this did raise a big question – what use is your DNA to a hacker?
To clarify, according to 23andMe, and from the information posted online, no actual genetic information was taken. High-level account data was accessed, such as personal information and users’ geographic ancestry breakdown.
This shows where a person’s genes have come from. For example, a user may be of 50% Irish heritage, 25% Norwegian, 12.5% Welsh and 12.5% Baltics.
Which is curious information to steal.
‘The main value from this hack is going to be personal information that might be used in scams later,’ says Professor Alan Woodward, a cyber security specialist based at the University of Surrey.
‘Names, addresses, telephone numbers, general personal information – hackers tend to sell this on to scammers, who can then write spam emails that are more targeted. It’s ‘Dear Alan’ rather than ‘Dear valued customer’, so you think they know who you are and that it must be legitimate.
‘But in terms of the genetic information itself, it may have some value in the future, but today I can’t see how they would monetise it – I’d say it’s a fairly opportunistic hack.
‘I’d be more concerned if someone had my fingerprints. Biometric data, like your face, your fingerprints, can’t be changed once it’s out in the public, and can be used to access things.’
But the information generated by commercial DNA tests is not limited to geography. The results also share medical predictions, showing your likelihood of developing particular diseases or characteristics, such as Alzheimer’s, diabetes or male pattern baldness.
‘That information may be important in society one day, perhaps for insurance companies,’ says Professor Woodward. ‘It’s one of those things you’d rather not have out there, but probably won’t put you at risk now.’
However, the medical information supplied by these tests does raise concerns over ‘DNA hacking’ closer to home.
What is to stop a person checking whether their prospective partner is likely to go bald, or develop cancer, or have a genetic predisposition to alcoholism?
Perhaps the results could be used to sabotage someone’s career, highlighting health risks that may limit their working life. Would a company hire a 58-year-old to be its new CEO if they knew she or he had a high chance of developing dementia?
Technically, there is protection in place against such DNA hacking.