23andMe says hackers accessed raw genotypes and family tree information of users

U.S. biotechnology and genomics company 23andMe said a major cyber security incident that took place in 2023 compromised raw genotype data and other sensitive information of millions of users.

In October, a threat actor listed 23andMe as a victim on their data leak site and published samples of data they allegedly stole from the company, including 1 million lines of information about Ashkenazi Jews. Ashkenazi Jews are those who believe they descended from Jews who lived in Central or Eastern Europe.

Acknowledging the threat actor’s claim, 23andMe said that the threat actor used previously-compromised credentials to infiltrate its internal network. The company said that as soon as it learned about the incident, it launched an investigation with assistance from third party cyber security experts to understand the scope of the data security incident.

The biotechnology and genomics company said in a regulatory filing with the U.S. Securities and Exchange Commission that the data security incident affected a “very small percentage”, or 0.1% of user accounts. Considering that the company reported a customer base of 14 million users worldwide in its most recent annual earnings report, the number of affected individuals could not have been more than 14,000.

A company spokesperson, however, told TechCrunch that the threat actors accessed the data of as many as 5.5 million people who opted-in to 23andMe’s DNA Relatives feature. About 1.4 million people who opted-in to the same feature also suffered  unauthorised access to their family tree profile information. The compromised data included display names, relationship labels, birth year, self-reported location and whether the user decided to share their information.

The company said it notified all affected individuals about the data security incident and implemented a compulsory change of password on October 10 to remove hackers’ access to compromised accounts. It also implemented two-step verification for all new and existing users to login into their 23andMe accounts.

In a recent data breach notification sent to affected users, 23andMe said that its investigation revealed that threat actors exfiltrated “uninterrupted raw genotype data”, and other sensitive personal information from their accounts.

According to the company, the compromised data includes health reports derived from the processing of genetic information, including health-predisposition reports, wellness reports, carrier status reports, self-reported health condition information, and information in the users’ settings.

“If you participated in the 23andMe DNA Relatives feature, the threat actor may have also accessed your DNA Relatives profile information, and your Family Tree profile information,” the company said.

“If your DNA Relatives profile information was accessed, the threat actor was able to view your display name, how recently you logged into your account, your relationship labels, and your predicted relationship and percentage DNA shared with your DNA Relatives matches.”

23andMe said the threat actors possibly accessed additional information about customers, such as their ancestry reports and matching DNA segments (specifically where they and their relative had matching DNA), self-reported location (city/zip code), ancestor birth locations and family names, profile picture, birth year, a weblink to their family trees, and any information customers provided in the “Introduce yourself” section of their profile.

“If your Family Tree profile information was accessed, the threat actor accessed your display name, relationship labels, and percentage DNA with your DNA Relatives matches. The following information may have also been accessed in relation to the Family Tree profile if you chose to share this information in the DNA Relatives feature: self-reported location (city/zip code) and birth year. The threat actor may have also accessed information in your settings, which may include information such as your height, weight, self-reported ethnicity, current zip code, and birth date.

“Protecting our customers’ privacy and security continues to be a top priority. We will continue to invest in protecting our systems and data. We sincerely apologize for any inconvenience caused to you by this incident,” 23andMe added.

Last year, the company said that it expects to incur between $1 million and $2 million in one time expenses related to the incident during its fiscal third quarter ending December 31. This cost primarily includes technology consulting services, legal fees, and expenses of other third-party advisors.