this post was submitted on 15 Sep 2024
194 points (99.5% liked)

Technology

35125 readers
159 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.


Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.


Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago
MODERATORS
 

DNA testing giant 23andMe has agreed to pay $30 million to settle a lawsuit over a data breach that exposed the personal information of 6.4 million customers in 2023.

The proposed class action settlement, filed Thursday in a San Francisco federal court and awaiting judicial approval, includes cash payments for affected customers, which will be distributed within ten days of final approval.

"23andMe believes the settlement is fair, adequate, and reasonable," the company said in a memorandum filed Friday.

you are viewing a single comment's thread
view the rest of the comments
[–] AnEilifintChorcra@sopuli.xyz 21 points 3 months ago (2 children)

https://www.bleepingcomputer.com/news/security/genetics-firm-23andme-says-user-data-stolen-in-credential-stuffing-attack/

The information that has been exposed from this incident includes full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location.

The threat actor accessed a small number of 23andMe accounts and then scraped the data of their DNA Relative matches, which shows how opting into a feature can have unexpected privacy consequences.

  • Usernames Profile Photos DoB

They can be linked to other online accounts. This allows for phishing, potentially scamming or getting additonal information on them which can lead to more sophisticated/personalised scams. Older, less tech savvy users are better targets for scammers.

  • Username Sex DoB Genetic Ancestry Location data

Data aggregators can sell this info to Health Insurance Companies or any other system who can then discriminate based on genes sex age or location

  • All of this information

Can contribute to people committing fraud with their information if they collect enough information from different sources.

  • DNA relatives

Having enough information about a user to use it to target their now known relatives in personalised scams.

The people that did this probably didn't know what information they were going to get, maybe they were hoping for payment info, and settled for trying to just sell what they got.

Any information, no matter how useless it might seem, is better than no information and enough useless information in the wrong hands can be very valuable.

Theres countless data breaches every year and people will collect it all and link different accounts from different breaches until they have enough information. Most people use the same email address for every website and a lot of people reuse the same passwords, which is how this data leak occurred. Knowing that these users reuse the same email/password combination here means theres a very good chance they've reused it elsewhere.

You can check out what data breeches have occured and if your email or password has been posted in any of these dumps here https://haveibeenpwned.com/

Once the information is out there, its out there for good and what might seem trivial now to you could be valuable tomorrow to someone else

[–] lattrommi@lemmy.ml 7 points 3 months ago

To add more possibilities/perspectives to the above:

The security question I've seen most in my life has probably been "What is your mothers maiden name?" which becomes fairly easy to guess with family history.

Ancestry information can reveal who is inbred.

It also can reveal politicians commiting nepotism.

Geographic location can show if someone lives in a redlined neighborhood or the part of town with all the mansions.

Simply the fact that an account exists on 23andme's website, implies someone took the test, which indicates they (or someone they know) has disposable income. Enough to pay for such a test (initially I believe it was $400 but I could be wrong) and that also implies they have some form of internet access and that they probably own a smartphone/computer/laptop/some kind of technology they can use to access their account. Thus they could be targeted simply for having potential income/assets above that of poverty level.

If actual DNA data was comprimised, which I doubt happened but suppose it did, an advanced enough attacker could use that to plant evidence at a crime scene. Who would believe a whistleblower after their DNA was found on a rape victim? Who would vote for a politician whose DNA was found on a murder weapon used to kill dozens of missing persons? They can scream "fake news!" all they want to, once that seed of doubt has been planted, once enough people are made to believe someone is guilty of some atrocity, it is hard to shake that belief. The DNA evidence is there. It was tested by scientists.

I could come up with more far fetched scenarios too. I made a list of them once because a family member purchased one of the 23andme tests for me to take. They did not understand why I refused to take the test. The reason was because a decade and a half prior, I was charged with a crime. The crime doesn't exist anymore where I live (illegal botany) but at the time it could have been a felony. I did not want to have a felony. Felons had their DNA added to a federal database to assist investigators in finding repeat offenders. I fought hard to ensure I was not convicted with a felony and succeeded by pleading to lesser charges.

The idea of having my DNA on file with a government agency like the FBI, CIA or NSA terrifies me. A malicious agent could do a lot of damage with it. They could invent threats with it to ensure I comply with their demands. The amount of possible damage they could inflict grows every day with new technology. DNA, gait and facial recognition, geofence data and an AI trained to make deepfakes, in the hands of a shadowy alphabet agency with little oversight, that's fairly unstoppable by a single person. Imagine if anyone could get their hands on that. A disgruntled coworker. An obsessive ex. A hormonal teen child having a temper tantrum.

I know this is long and extreme in parts. I hope this helps people understand that DNA data is powerful and could be abused in unimaginable ways.

[–] JusticeForPorygon@lemmy.world 4 points 3 months ago

Okay yeah that's pretty bad