As tempting as it is to find out if you descended from some grand poobah in Scandinavia or if your real great (x10) grandmother was Catherine the Great, the implications of a fine recently levied against 23andMe might coax you into keeping your genetic material to yourself. 

The ICO recently fined the genetic testing company £2.31 million, for its failure to have appropriate security measures in place to protect UK users’ personal data —  names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports — after a credential stuffing attack between April and September in 2023.  

“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there and the company was slow to respond,” John Edwards, UK Information Commissioner. “This left people’s most sensitive data vulnerable to exploitation and harm.” 

Most sensitive data indeed, because it has the potential to reveal a whole lot about people — and their family members — and some of it can’t be edited or upgraded to mitigate exploitation.  

I’ve long railed against being so quick to impart genetic and health information — it’s sort of your permanent record and once out there, potentially exploitable for life — since many of the testing firms that collect it don’t seem to place a premium on security. For instance, 23andMe didn’t acknowledge the breach until the data was available online.  

Yes, there are some super cool — and really necessary — things that can be done with that info. like solving cold cases, reuniting long-lost family members. Although that latter might come with a few surprises — I’ve had a couple of friends discover previously unknown siblings and children. 

“We’re talking about the most sensitive data a person can provide: Their DNA. You can’t rotate it. You can’t protect it with MFA. And once it’s out, you can’t pull it back,” says Chad Cragle, CISO at Deepwatch. “Social engineering, blackmail and targeted phishing are all more effective when linked to your genetic footprint, and by extension, your family’s.” 

And users, anxious to traverse their genetic backgrounds looking for clues, rush in without understanding the potential consequences. “Most users don’t fully understand what they’ve consented to or agreed to, and even fewer realize how little control they have once the data is in motion,” says Cragle. “It’s shared, integrated and monetized, often with weak security, poor encryption and no clear way to opt out.” 

But there is such a bevy of privacy concerns with long-lasting information — do you want insurance companies to access genetic data without your permission and start making premium/coverage decisions based on genetic traits in your family tree? And, of course, in the hands of hackers, with AI added to the mix, the generational miseries could be even greater.  

“The consequences of DNA data falling into the wrong hands aren’t yet fully understood and while we know there are many privacy concerns over health data being misused the rapid growth of AI and genomic sequencing means things could evolve rapidly in this space,” says James Maude, Field CTO at BeyondTrust. 

But AI is sure to make it more impactful. “We are already seeing AI threats challenge many advanced biometric security controls as deep fakes of ID documents, voice and video, so it is concerning to think what could be done in the future with compromised DNA data,” Maude says. 

To counter 23andMe’s sloppy security practice, a court recently decided the company and its data assets would be better off under the stewardship of a non-profit. Security experts aren’t having it, though.  

“The court’s decision to transfer 23andMe’s assets to a nonprofit may calm immediate fears about commercial misuse of genetic data, but it raises a bigger question: What happens to deeply personal data when the business that collected it no longer exists as we knew it?” says Gal Ringel, cofounder and chief strategy office at MineOS. 

And, asks Cragle, “now we’re supposed to trust that the data is ‘safe’ because it’s under the care of a nonprofit run by the same people who initially failed to protect it?” 

NIST is trying to help. “In the wake of rapid advancements in genomic sequencing and significant security breaches in this emerging industry, NIST published guidance on genomic data cybersecurity in 2023,” says Maude. But the NIST guidelines are voluntary, not a regulatory requirement, he says.  

Organizations have to sort it out themselves…and quickly. 

Noting that if data is an organization’s more valuable asset, it should also be treated as the deepest responsibility, Ringel says, “whether you’re handling genetic sequences, financial transactions, employee records, or user behavior logs, the obligation is the same: Consent must be auditable, governance must be crisis-proof and privacy must outlive the company itself.”