HARTFORD, Conn — Connecticut Attorney General William Tong sent a letter of inquiry to genetic testing and ancestry company after a reported data breach that exposed the records of over five million users, including specifically those of Ashkenazi Jewish and Chinese heritage.
23andMe, Inc. seeking details of a data breach that reportedly exposed sensitive records for
Earlier this month, 23andMe disclosed that customer profile information shared through the company’s DNA Relatives feature had been accessed without authorization, exposing names, sex, date of birth, geographical location, and genetic ancestry results. The person or organization has posted sample data indicating the attack was targeted at account holders with Ashkenazi Jewish and Chinese heritage.
“I understand that the 23andMe breach resulted in the targeted exfiltration and sale on the black market of at least one million data profiles pertaining to individuals with Ashkenazi Jewish heritage. According to reports, a second leak revealed the data of hundreds of thousands of individuals with Chinese ancestry, also for sale on the dark web. Finally, most recent reports point to a third leak of information from 23andMe’s “DNA Relatives” feature containing the genetic ancestry information of an estimated four million individuals. I also understand from those reports that the threat actor claims to possess more than 300 terabytes of 23andMe data,” said Tong in the letter. “The increased frequency of [anti-Semitic] and anti-Asian rhetoric and violence in recent years means that this may be a particularly dangerous time for such targeted genetic information to be released to the public.”
The company has not submitted a data breach notification to the Office of the Attorney General. Connecticut law requires a company whose data has been breached to provide the information to the state no later than 60 days following a security breach.
Attorney General Tong’s letter also notes that the breach calls into question the company’s compliance with the Connecticut Data Privacy Act, which provides Connecticut consumers with important rights over their personal data and imposes corresponding privacy and data security obligations on companies that maintain and process personal data.
“23andMe is in the business of collecting and analyzing the most sensitive and irreplaceable information about individuals, their genetic code. This incident raises questions about the processes used by 23andMe to obtain consent from users, as well as the measures taken by 23andMe to protect the confidentiality of sensitive personal information,” said Tong.
Doug Stewart is a Senior Digital Content Producer at FOX61 News. He can be reached at dstewart@fox61.com.
---
Have a story idea or something on your mind you want to share? We want to hear from you! Email us at newstips@fox61.com
----
HERE ARE MORE WAYS TO GET FOX61 NEWS
Download the FOX61 News APP
iTunes: Click here to download
Google Play: Click here to download
Stream Live on ROKU: Add the channel from the ROKU store or by searching FOX61.
Steam Live on FIRE TV: Search ‘FOX61’ and click ‘Get’ to download.
