Days After Downplaying Data Breach, 23andMe Confirms Information Disclosure From About Half Its Users

Lorenzo Franceschi-Bicchierai, TechCrunch:

On Friday, genetic testing company 23andMe announced that hackers accessed the personal data of 0.1% of customers, or about 14,000 individuals. The company also said that by accessing those accounts, hackers were also able to access “a significant number of files containing profile information about other users’ ancestry.” But 23andMe would not say how many “other users” were impacted by the breach that the company initially disclosed in early October.

As it turns out, there were a lot of “other users” who were victims of this data breach: 6.9 million affected individuals in total.

The announcement Friday was made in a financial disclosure, and the company updated an old blog post a day after this TechCrunch article was published. According to 23andMe, the information disclosed by the “DNA Relatives” feature will at minimum include a display name derived from one’s (presumably real) name, recent site activity, and “predicted” relationship.

Jason Koebler, 404 Media:

Every few years, I write an article about how it is generally not a good idea to voluntarily give your immutable genetic code to a for-profit company (or any other genetic database, for that matter), and how it is an even worse deal to pay money to do so. It is also not wise or ethical to gift a 23andMe Saliva Collection Kit to your loved ones for Christmas, their birthday, or any other reason.

Give your family and friends the gift of not subjecting their genetics to businesses with a data breach record of, as of writing and I cannot stress this enough, half their customer base.

Update: A very important postscript, via Brian Sutorius. Matthew Cortland:

So what measures has 23andMe announced to mitigate the tremendous harm their negligence has caused? If you guessed, “updating their Terms of Service to force customers – including everyone who has used 23andMe since their first product became available in the United States in 2007 – into binding arbitration” you’d be correct. 23andMe is updating their TOS to strip victims of the company’s negligence of the right to seek justice in a court of law, instead forcing those harmed by 23andMe’s conduct into binding arbitration. […]

Notification of the updated Terms of Service was sent to 23andMe users one day before it disclosed the results of its investigation. If you are a user, there are specific steps you need to follow this month to opt out of binding arbitration. Read Cortland’s post in full for more information.