Family members’ names, birth years, relationship labels, shared DNA information and more were recently exposed in a data breach against genetic testing company 23andMe in an attack that impacted 6.9 million individuals. While the biotech firm explained in an announcement that less than 0.1% of user accounts were accessed in the October breach, this gave hackers access to about 5.5 million DNA Relatives profiles and 1.4 million Family Trees connected to those accounts.
“It is alarming but not surprising, unfortunately,” said Allison Arnold, Broker, Professional Liability, Burns & Wilcox, Indianapolis, Indiana. “It is a very good example of a company that has certain data that might be linked to other data and how it can really avalanche into a huge issue.”
23andMe’s customers were reportedly notified and prompted to reset their passwords, and the company is now requiring two-step verification for all users. According to reports, 23andMe expected to spend between $1 million to $2 million on the breach and was facing class-action lawsuits in multiple states as well as Canada. Cyberattack-related expenses can often be covered by a company’s Cyber & Privacy Liability Insurance, said Joey Franiak, Broker, Professional Liability, Burns & Wilcox, San Diego, California.
It is a very good example of a company that has certain data that might be linked to other data and how it can really avalanche into a huge issue.
“23andMe collect and store an immense data set of personally identifiable information records of their clients. Generally speaking, this is where companies see a lot of exposure on the cyber side of things,” Franiak said. “This is why insurance carriers are always scanning and doing their due diligence to ensure companies have excellent security controls in place for the betterment of the insured.”
How leaked ancestry data could wreak havoc on users
According to TechCrunch, one hacker who claimed to be involved in the breach published the data of more than 1 million users of Jewish Ashkenazi descent and 100,000 Chinese users and sought $1 to $10 for the data per account. The outlet found that a different hacker also advertised having stolen user data from 23andMe. DNA data is a “hot commodity” on the black market, financial news website TheStreet reported in October, and it could potentially be used for blackmail, impersonation, or even as a biological weapon.
The personal nature of the data leaked “definitely adds to the gravity of the information that was stolen,” Arnold said, noting that the hackers publishing data on specific populations is another red flag and shows how breaches involving ancestry data create “another level of severity” to claims.
The fact that data has been stolen and is in the hands of those who might want to wreak some havoc — that is very scary.
“With the climate in the world right now, it seems everybody hates everybody. You do not want to disclose that type of information to the wrong individuals,” Arnold said. “We also know that we can do a lot scientifically with DNA, so the fact that data has been stolen and is in the hands of those who might want to wreak some havoc — that is very scary.”
In response to the 23andMe breach, the AARP published information on the risks of leaked ancestry databases, noting that users whose information was revealed could be targeted for more convincing phishing scams. The nonprofit also pointed out that HIPAA privacy standards do not apply to ancestry websites.
“Hackers will use any public or private information they can get ahold of presently,” Franiak said. “They could use that data to hack into your work or to steal funds from you. It is very concerning, to say the least, and why it is imperative for individuals to have proper safeguards.”
Hackers will use/abuse any public or private information they can get ahold of presently. They could use that data to hack into your work or to steal funds from you. It is very concerning, to say the least, and why it is imperative for individuals to have proper safeguards.
After this type of breach, Cyber & Privacy Liability Insurance can cover breach response services including the negotiation of ransomware payments, IT support to get networks back up and running, and investigations to identify how the breach occurred. The policy can also cover the cost of notifying affected customers, as well as any brand rehabilitation services that may be needed. In a case like the 23andMe breach, “they are likely going to have to get a PR firm involved to restore the public image,” Arnold said.
“An event like this could make consumers turn away from your company and use another one,” she said, adding that competing ancestry websites are likely taking steps now to further safeguard their systems.
Class-action lawsuit could shut down company
Information from genealogy websites has been compromised in the past. In March of 2022, ancestry site FamilySearch detected a network intrusion that gave hackers access to some of its data, including users’ preferred language, phone number, mailing address, full names, gender, birth dates, and more, IDStrong reported in October of 2022. In 2018, genetics site MyHeritage experienced a data breach that exposed the email addresses and passwords of all of its 92 million users, TechCrunch reported in June of 2018.
The business impact of these attacks can be significant. In February, Pennsylvania’s attorney general secured a $400,000 settlement against a DNA testing company that exposed the Social Security numbers of over 12,000 individuals. Large class-action lawsuits against companies are also possible and could threaten to shut down a business altogether.
“If a majority of users who were hacked take that step together, 23andMe might not be here tomorrow,” Franiak said. “Class-action lawsuits take a long time, especially considering court backups post-COVID, so it could be four or five years or longer before we see something regarding a class-action lawsuit and what the ultimate result is for the company.”
In either case, he added, “It is going to be tough for them to recover from this since they have lost the trust of the public.”
Depending on the policy, a company’s Cyber & Privacy Liability Insurance could help cover the cost of cyberattack-related lawsuits, including legal defense and settlements. According to Arnold, a breach like the one against 23andMe can be damaging to both users and the company. “The money and time they had to invest to get their system secure again and back up and running can be pretty detrimental to a company,” she said.
Ransomware attacks up as hackers get ‘more sophisticated’
While the specific data exposed may vary, the sensitivity of the information revealed in a DNA company breach is somewhat similar to attacks affecting the health care industry. During the first half of 2023 alone, these breaches impacted more than 39 million individuals, according to Health IT Security. Ransomware attacks against hospitals, specifically, were back on the rise as of July after a temporary decline earlier in the year, Chief Healthcare Executive reported. “Anything health care-related is such a big exposure due to the sensitive information that is being collected,” Franiak said.
We try to point out coverage enhancements and tailor a policy to see all angles where a business could be vulnerable and have a plan in place to prevent potential losses and claims.
Ransomware attacks “increased” year over year, he added. “Hackers are getting a little bit more sophisticated, making it more important for businesses to train their employees on how to avoid scams,” he said.
Services intended to help prevent cyberattacks are a major component of a Cyber & Privacy Liability Insurance policy, as insurance carriers typically offer services to help companies reduce their risk of cyber incidents. “They usually include a lot of risk management for clients, such as classes on social engineering or pushing through fake phishing attempts,” Arnold said. “Cybersecurity education is very smart for a business and their employees.”
Partnering with an insurance broker who fully grasps cyber risks is also key. “We try to point out coverage enhancements and tailor a policy to see all angles where a business could be vulnerable and have a plan in place to prevent potential losses and claims,” Franiak said.
When weighing insurance options, business owners should ask about whether coverage is included for cyber crime, hardware replacement, third-party losses and more. According to Arnold, it is “always” the right time to seek out a Cyber & Privacy Liability Insurance policy. “It is always the best time to get a policy because hackers are always getting smarter,” she said. “You want to be secure and keep your business protected as much as possible.”