Last month, 92 million accounts from DNA testing service MyHeritage were breached. Hackers only accessed encrypted emails and passwords, not the actual genetic data. But still, there’s little doubt that hacks like these will happen more frequently — especially with genetic testing becoming more popular with sites like Helix, 23andMe and MyHeritage. Here’s what you need to know.
Why do hackers want DNA information? DNA information has long-term value — while other types of information (like your credit card number) can be easily changed, your DNA cannot. “At this point in time, the options for monetization are limited, but with the improvement of machine-learning techniques, data of this kind will increase in value,” says Dr. Giovanni Vigna, Co-founder and CTO of Lastline, a cyber security company. Criminals have a specific interest in stealing immutable identifiers of humans exactly because they are immutable — which makes DNA incredibly valuable as an identifier and commodity says Marten Mickos, CEO of HackerOne, a platform that connects businesses with cybersecurity researchers. “Our DNA just might be the most valuable thing we own,” says Mickos.
What are the long-term implications of a DNA breach?
Today with a quick cheek swab, someone can use that information to identify your age, race, any genetic mutations, and other information about your health and potential diseases. If hackers sell your DNA to insurance companies for example, that data could be used against you. Say you apply for a long-term loan, but you get rejected because that company who bought your DNA data sees that you are very likely to get Alzheimer’s and die before you would be able to repay the loan. “Cybercriminals could hold DNA information for ransom, demanding a large payment before they return it to the company. DNA could be sold to researchers or insurance companies for scientific studies or used to discriminate,” says Mickos. With biometrics (things like fingerprints and facial images used as identifiers) still in its infancy we can’t even fully grasp the worst case scenario of a DNA breach suggests Mickos. “DNA does not expire, breached DNA could come back to haunt us 10 years when DNA uses advance,” says Mickos.
What can you do about it?
If DNA information is disclosed, the loss is irreversible — making it a serious problem. There are no “credit information protection” services that can prevent somebody from getting your information and abusing it. Does this mean that you shouldn’t be using services that could tell you about potential health problems — or just interesting facts about your history? Not necessarily. When MyHeritage was breached, the company said there’s no reason to believe that the more sensitive information was breached other than the emails and passwords. Still, Mickos says it’s wise to be aware of who you’re entrusting with your personal information and how they protect it. “Unlike a password, DNA cannot be changed. Therefore, it should be secured with that permanency in mind,” says Mickos. If you’re looking to get your DNA tested, make sure you’re trusting a company that prioritizes security. There is no such thing as 100 percent security says Mickos, even the best companies get breached sometimes. He adds that “an organization with a mature security posture will likely have a vulnerability disclosure policy for anyone who finds vulnerabilities to safely disclose them.”
With Hattie Burgher