Connecticut AG demands answers from 23andMe after data breach

The attorney general of Connecticut is questioning whether genetic testing giant 23andMe violated data privacy laws after hackers tried to sell the information of millions of 23andMe users on a cybercrime forum last month.

The company has been embroiled in controversy since the leaks came to light. A researcher downloaded two files from the forum post and told Recorded Future News that one apparently had information on 1 million 23andMe users of Ashkenazi heritage while another file included data on more than 300,000 users of Chinese heritage.

TechCrunch reported on a second cybercrime forum posting weeks later that included information on 4 million users.

23andMe confirmed on October 9 that a data scraping incident resulted in hackers gaining access to customer profile information that they opted into sharing through their DNA Relatives feature. The company said it believes the data “was compiled from individual 23andMe.com accounts without the account users’ authorization.”

This resulted in the compilation and exposure of peoples’ names, sex, date of birth, geographical location, and genetic ancestry results. By October 20, the company said it “temporarily disabled some features within the DNA Relatives tool as an additional precaution to protect the privacy of our customers.”

This week, Connecticut Attorney General Willaim Tong sent a letter to the company demanding answers to a list of questions about the breach, expressing concern about how the issue was being handled.

Tong was specifically concerned about the data from the first breach, which involved information on individuals with Ashkenazi Jewish heritage and Chinese ancestry.

“The increased frequency of antisemitic and anti-Asian rhetoric and violence in recent years means that this may be a particularly dangerous time for such targeted information to be released to the public,” Tong said.

The Connecticut Attorney General said 23andMe has not submitted a breach notification to the state as required by law within 60 days of a breach.

Tong acknowledged 23andMe’s assertion that the breach was the result of a credential stuffing attack — where credentials obtained from a data breach on one service are used to attempt to log in to another unrelated service — but said the state’s breach notification statute “expressly include email address and password information.”

Tong questioned whether 23andMe was violating the Connecticut Data Privacy Act, a recently instituted law that imposes privacy and data security obligations on companies operating in the state.

“23andMe is in the business of collecting and analyzing the most sensitive and irreplaceable information about individuals, their genetic code,” he explained.

“This incident raises questions about the processes used by 23andMe to obtain consent from users, as well as the measures taken by 23andMe to protect the confidentiality of sensitive personal information.”

The letter includes 14 questions about the specifics of those affected by the breach as well as any measures the company has in place to protect against these kinds of attacks.

The company has until November 13, 2023 to respond to the letter. 23andMe did not respond to requests for comment about the letter.

The breach set off a wave of concern, particularly among those of Ashkenazi heritage, amidst a rise in anti-semitism and hate speech toward those of the Jewish faith. Since publishing a story about the issue on October 6, several people have contacted Recorded Future News expressing worry about what the leaked data may lead to.

One researcher who spoke to Recorded Future News was initially alarmed because he found the information on his wife and her family members in the first batch of stolen data being offered for sale on BreachForums.

“23andme seems to think this isn’t a big deal. They keep telling me that if I don’t want this info to be shared, I should not opt into the DNA relatives feature,” he said, speaking on condition of anonymity out of fear his family would be identified by hackers.

“But that’s dismissing the importance of this data which should only be viewable to DNA relatives, not the public. And the fact that someone was able to scrape this data from 1.3 million users is concerning. The hacker allegedly has more data that they have not released yet.”