Perhaps your genome is already waiting for its buyer on the shelves of the shadow market.
In the fall of 2023, a hacker under the pseudonym Golem posted an announcement on a cybercrime forum about hacking the database of 23andMe, one of the largest DNA testing companies on the market. Later, the management admitted that the attacker gained access to the personal information of approximately 6.9 million user profiles.
As it turned out, the attack targeted people of Jewish and Chinese descent, but Golem particularly boasted of accessing a huge number of profiles of Ashkenazi Jews . After the news about the hacking that took place on October 6, experts had concerns that the attack could have had anti-Semitic motives.
The message offered for sale the following information: distribution by ethnic group, estimates of origin, details of haplogroups, information about the phenotype, photos, links to hundreds of potential relatives and, most importantly, files with original, not interpreted genetic data. A price list was specified with a step-by-step increase in the price-from $ 1,000 for 100 profiles to $ 100,000 for 100,000 profiles.
Moreover, similar situations with 23andMe have been repeated several times recently.
Millions of people, hoping to learn more about their ancestors and health, sent home-made DNA tests to 23andMe. Many people do this solely out of curiosity, because home tests work very simply, sometimes they are even given to friends and relatives for the holidays. The company's stated mission is "to help people access, understand and benefit from data on the human genome."
Cybersecurity specialist Brett Callow notes that leaks happen all the time: "Such incidents are very common, and no company is immune from them." However, genetic information is a special type of data: unlike passwords and financial information, you can't change your own DNA. "If your genetic data gets hacked, there's absolutely nothing you can do about it," Callow says.
He also notes that the leak of DNA information can have very serious consequences in the long term.: "It is impossible to predict who will get access to them in the future, how many people will be able to use them and for what purpose. Genetic tests often indicate a predisposition to certain diseases. This can affect a person's employment, life expectancy, or disability. Such confidential information is of interest to unscrupulous employers and insurance companies."
In an era when more and more financial decisions are made by algorithms based on the analysis of all available information about a person, leakage can also lead to serious financial losses and discrimination. For example, insurers may refuse to issue a policy or increase rates, citing genetic risks.
23andMe claims that the hack did not affect the DNA profiles themselves, but the hacker gained access to reports on origin, geographical location, family trees and other genetic features.
"Every time our personal data falls into the hands of cybercriminals, it contributes to the spread of theft," warns cybersecurity expert Lily High Newman. According to her, even such general information as location and ethnicity can be used by fraudsters to target specific people.
As a result of the leak, 23andMe faced several class-action lawsuits. In January, she admitted that hackers could have accessed the accounts as early as April 2023. Moreover, anyone could easily exploit the vulnerability in the system for five months before the problem was discovered.
"The privacy and security of our customers remains a top priority for 23andMe, and we will continue to invest in protecting our systems," the organization states. The company's website now requires two-factor authentication to access its accounts.
Researchers have also discovered other ways to illegally obtain genetic data from databases of consumer genetic services. In one study, researchers from the University of California, Davis, demonstrated that by uploading a large number of fake genetic profiles to a corporate system, it is possible to find matches with real users and thus restore fragments of their genomes.
Even if it is possible to reliably protect such confidential information as the genetic code from hackers, there is no guarantee that it will not fall into the wrong hands. If the company we send our tests to decides to sell, the information will pass to the new owners.
"In addition to processing genetic data, such companies essentially have no other valuable assets and business lines. Their revenue is built on storing and analyzing customer DNA, "Callow notes. - Now genetic information can be sold, bought and exchanged like any other intellectual property. The rights to the DNA belong to the company, not to you."
So, in 2020, the investment company Blackstone acquired Ancestry, one of 23andMe's main competitors, for $ 4.7 billion.
Despite the potential risks associated with the transfer of DNA materials to private companies, many do not regret their decision to undergo testing. The knowledge they gain about their ancestors and their genetic connections is so valuable that it outweighs any concerns about privacy. But even if you didn't take the test yourself, someone close to you might have done it. This means that a very close copy of your genetic code may already be stored in the corporate archive of an unknown organization.
Perhaps your genes are already waiting for their buyer on the shelves of dark markets. And it is not known where they will end up in the end.
In the fall of 2023, a hacker under the pseudonym Golem posted an announcement on a cybercrime forum about hacking the database of 23andMe, one of the largest DNA testing companies on the market. Later, the management admitted that the attacker gained access to the personal information of approximately 6.9 million user profiles.
As it turned out, the attack targeted people of Jewish and Chinese descent, but Golem particularly boasted of accessing a huge number of profiles of Ashkenazi Jews . After the news about the hacking that took place on October 6, experts had concerns that the attack could have had anti-Semitic motives.
The message offered for sale the following information: distribution by ethnic group, estimates of origin, details of haplogroups, information about the phenotype, photos, links to hundreds of potential relatives and, most importantly, files with original, not interpreted genetic data. A price list was specified with a step-by-step increase in the price-from $ 1,000 for 100 profiles to $ 100,000 for 100,000 profiles.
Moreover, similar situations with 23andMe have been repeated several times recently.
Millions of people, hoping to learn more about their ancestors and health, sent home-made DNA tests to 23andMe. Many people do this solely out of curiosity, because home tests work very simply, sometimes they are even given to friends and relatives for the holidays. The company's stated mission is "to help people access, understand and benefit from data on the human genome."
Cybersecurity specialist Brett Callow notes that leaks happen all the time: "Such incidents are very common, and no company is immune from them." However, genetic information is a special type of data: unlike passwords and financial information, you can't change your own DNA. "If your genetic data gets hacked, there's absolutely nothing you can do about it," Callow says.
He also notes that the leak of DNA information can have very serious consequences in the long term.: "It is impossible to predict who will get access to them in the future, how many people will be able to use them and for what purpose. Genetic tests often indicate a predisposition to certain diseases. This can affect a person's employment, life expectancy, or disability. Such confidential information is of interest to unscrupulous employers and insurance companies."
In an era when more and more financial decisions are made by algorithms based on the analysis of all available information about a person, leakage can also lead to serious financial losses and discrimination. For example, insurers may refuse to issue a policy or increase rates, citing genetic risks.
23andMe claims that the hack did not affect the DNA profiles themselves, but the hacker gained access to reports on origin, geographical location, family trees and other genetic features.
"Every time our personal data falls into the hands of cybercriminals, it contributes to the spread of theft," warns cybersecurity expert Lily High Newman. According to her, even such general information as location and ethnicity can be used by fraudsters to target specific people.
As a result of the leak, 23andMe faced several class-action lawsuits. In January, she admitted that hackers could have accessed the accounts as early as April 2023. Moreover, anyone could easily exploit the vulnerability in the system for five months before the problem was discovered.
"The privacy and security of our customers remains a top priority for 23andMe, and we will continue to invest in protecting our systems," the organization states. The company's website now requires two-factor authentication to access its accounts.
Researchers have also discovered other ways to illegally obtain genetic data from databases of consumer genetic services. In one study, researchers from the University of California, Davis, demonstrated that by uploading a large number of fake genetic profiles to a corporate system, it is possible to find matches with real users and thus restore fragments of their genomes.
Even if it is possible to reliably protect such confidential information as the genetic code from hackers, there is no guarantee that it will not fall into the wrong hands. If the company we send our tests to decides to sell, the information will pass to the new owners.
"In addition to processing genetic data, such companies essentially have no other valuable assets and business lines. Their revenue is built on storing and analyzing customer DNA, "Callow notes. - Now genetic information can be sold, bought and exchanged like any other intellectual property. The rights to the DNA belong to the company, not to you."
So, in 2020, the investment company Blackstone acquired Ancestry, one of 23andMe's main competitors, for $ 4.7 billion.
Despite the potential risks associated with the transfer of DNA materials to private companies, many do not regret their decision to undergo testing. The knowledge they gain about their ancestors and their genetic connections is so valuable that it outweighs any concerns about privacy. But even if you didn't take the test yourself, someone close to you might have done it. This means that a very close copy of your genetic code may already be stored in the corporate archive of an unknown organization.
Perhaps your genes are already waiting for their buyer on the shelves of dark markets. And it is not known where they will end up in the end.
