Attorney General William Tong pressed genetic testing company 23andMe for information this week related to a hack which has exposed records in at least one million data profiles through an attack targeted at people of Ashkenazi Jewish and Chinese heritage.
In a Monday letter, Tong reminded the ancestry testing company that Connecticut law requires notification to the state within 60 days of a data breach’s discovery. Although 23andMe alerted customers to the breach on Oct. 6, it had yet to notify the attorney general’s office, Tong said.
“[W]e understand that the 23andMe breach has resulted in the targeted exfiltration and sale on the black market of at least one million data profiles pertaining to individuals with Ashkenazi Jewish heritage,” Tong wrote. “Reports indicate that a subsequent leak has revealed the data of hundreds of thousands of individuals with Chinese ancestry, also for sale on the dark web as a result of this hack.”
In its press release, the company said that whoever was behind the attack accessed information which customers had uploaded to their profiles using a “DNA Relatives” feature designed to help users connect with people genetically related to them.
A company investigation suggests that the hackers, or “threat actors,” were able to access the accounts of users who had recycled the same usernames and passwords that they had used as login credentials on other websites, a spokesperson said Wednesday.
“We do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks,” the spokesperson said in an email.
In his letter, Tong said that the targeted nature of the data breach was especially concerning given the recent prevalence of hate speech and violence.
“The increased frequency of antisemitic and anti-Asian rhetoric and violence in recent years means that this may be a particularly dangerous time for such targeted information to be released to the public,” Tong wrote.
The attorney general also questioned the company’s compliance with Connecticut’s recently adopted data privacy law, which contained new data security responsibilities for entities that collect personal data on users.
“23andMe is in the business of collecting and analyzing the most sensitive and irreplaceable information about individuals, their genetic code,” Tong wrote. “This incident raises questions about the processes used by 23andMe to obtain consent from users, as well as the measures taken by 23andMe to protect the confidentiality of sensitive personal information.”
The letter was directed at the company’s general counsel and privacy officer, Jacquie Cooke, and included more than a dozen questions from the attorney general including requests for details about the attack, the company’s security policies, and a breakdown of how the breach will impact Connecticut residents. Tong asked the company to respond no later than Nov. 13.
In an email sent last month to impacted users, 23andMe alerted customers that some of their profile information had potentially been exposed.
“Specifically, there was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor,” the company wrote.
The potentially exposed profile data included information like the user’s location, birth year, display name, profile picture, as well as their ancestors names and birth locations, according to a link provided to impacted users.