As 23andMe continues to investigate a data breach within its customers' accounts, a state politician is pressing the genetic testing company about what exactly was exposed in the leak and what the hackers wanted out of it.
Connecticut Attorney General William Tong issued an inquiry letter to 23andMe Tuesday expressing concern about the breach, which he says targeted more than 5 million users, specifically those of Ashkenazi Jewish and Chinese heritage.
Tong notes that the breach resulted in at least 1 million user data profiles of Ashkenazi Jewish heritage and hundreds of thousands of user profiles listing Chinese heritage being targeted and sold on the black market.
"The increased frequency of antisemitic and anti-Asian rhetoric and violence in recent years means that this may be a particularly dangerous time for such targeted genetic information to be released to the public," Tong said in a statement.
23andMe is in the business of collecting & analyzing the most sensitive information about individuals - their genetic code.
This incident raises questions about their processes to obtain consent from users, as well as the steps taken to protect confidential personal information. pic.twitter.com/uanfPiOAM1
— AG William Tong (@AGWilliamTong) October 31, 2023
Earlier this month, 23andMe disclosed that certain customer profile information shared by its DNA Relatives feature was collected by others without their authorization.
The company said it believes this occurred due to the use of "recycled login credentials," meaning hackers would already know a user's 23andMe username and password if they had already used the credentials on a site that had been previously hacked.
As of its latest update on Oct. 20, 23andMe said it was investigating the security breach and has temporarily disabled some features within the DNA Relatives tool as a precaution.
It also said it's working with federal law enforcement officials, but Tong said Tuesday that the company hadn't submitted a data breach notification to the attorney general's office. Connecticut requires a notice be provided no later than 60 days after a personal information breach of one of its residents.
"23andMe is in the business of collecting and analyzing the most sensitive and irreplaceable information about individuals: their genetic code," Tong said in the letter. "This incident raises questions about the processes used by 23andMe to obtain consent from users, as well as the measures taken by 23andMe to protect the confidentiality of sensitive personal information."
Among the 14 requests listed in his inquiry, Tong is requesting that 23andMe provide his office with the total number of individuals who were affected and which categories of personal information were compromised. He's also asking for definitive answers on if and what Connecticut resident information "has been made available on the dark web" and, if so, how that could have occurred with existing "safeguards." The letter lists Nov. 13 as the deadline for 23andMe to respond.
Maryland Quietly Shelves Parts Of Genealogy Privacy Law
Maryland set limits on police access to ancestry websites. But state leaders stopped rolling out some of the new law, a Newsy investigation finds.
