A simple test could leave your DNA – and your family’s – up for sale

Looking for answers to your heritage questions could give hackers more personal answers about you.

Looking for answers to your heritage questions could give hackers more personal answers about you. Photo: Getty

A popular DNA testing company has blamed weak passwords for a data leak that has allegedly resulted in millions of customers’ personal data put up for sale on the dark web.

But experts told TND such companies have been making money off customers’ DNA for years – and this could present big risks for both customers and their families.

On Friday, 23andMe admitted customer profile information was “compiled” from accounts for customers who had opted for the ‘DNA Relatives’ feature, after reports emerged “one million lines of data” for Ashkenazi Jewish customers was released online.

In a since-deleted forum post, hackers reportedly offered to sell 23andMe data profiles for up to $US10 ($A15) per account, and PCMag reported at least seven million customers could be affected.

The leaked data includes account users’ names, profile photos, date of birth, geographical location and genetic ancestry results.

Can’t change DNA data

Much of the leaked data resembles information involved in major leaks from the likes of Medibank and Optus last year.

But Christopher Lean, research fellow at the University of Sydney’s theory and methods in the biosciences group, said a key concern is that unlike your driver’s licence or Medicare number, you can’t switch out your DNA once it has been made public.

And you won’t be the only person affected by such a leak.

“Your bank account can change … your passwords can change; all these little bits of data can change, but your DNA can never change. It always identifies you,” he said.

“And not only does it identify you, it can be used to identify your relatives. This includes relatives who don’t exist yet – children in the next generation.”

Unknown uses

While you might be happy to send off some spit to get some information about your ethnic background or health risks, it is common for companies such as 23andMe to examine, store or sell your genetic code to be used by pharmaceutical companies, insurance companies and law enforcement.

In a famous case, the Golden State Killer was captured after law enforcement used semen from a rape kit to identify his relatives through the use of websites including FamilyTreeDNA, MyHeritage and GEDmatch.

While this took a violent criminal off the streets, Lean said there are “deep fears” around privacy as millions of people curious about genetic makeup add their DNA to massive databases.

And we still don’t know all the ways that information could potentially be used, Andelka M. Phillips, senior lecturer in law, science and technology at The University of Queensland, told TND.

“Genetic data can be used for lots of research purposes, and we can’t really anticipate all those purposes at the moment,” she said.

“23andMe … were acquired by Virgin in the last few years. Prior to that, they had at least 14 partnerships with pharmaceutical companies for research.

“For the most part, across the industry, the [DNA testing] companies are not really making a profit from the sale of tests themselves, but from the partnerships and mergers they can enter into.”

Piles of information

Phillips said DNA could add up to the piles of information about you likely already available, which could add up to a frighteningly in-depth profile that could potentially be used for everything from private market research to identity theft.

And 23andMe isn’t the first DNA testing company to have sensitive customer information made public.

For example, an attack saw 1.3 million DNA records from GEDmatch’s database become available for US law enforcement searches despite only 280,000 customers actively choosing to share their data.

And even if you’re careful to read through the terms and conditions of a data testing company to ensure they won’t share your data, their rules can be overturned in a court of law – as seen in a case again involving GEDmatch and US police.

“If you’ve got an online dating profile, and you’ve engaged with a DNA testing company, and you have some wearable tech or internet … products in your home, that’s a lot of data that could be out there about you,” Phillips said.

“I’m not someone who is actually anti-industry, but I think this is an industry in need of regulation … both at the local and international level. And my recommendation for most people is that they actually think about what their views on privacy are [and] what their levels of comfort in terms of how their data is used and shared. How would they feel if their data actually was leaked?

“Just because you’re interested in one thing doesn’t necessarily mean that’s going to be the only way your data is used.”

Stay informed, daily
A FREE subscription to The New Daily arrives every morning and evening.
The New Daily is a trusted source of national news and information and is provided free for all Australians. Read our editorial charter
Copyright © 2024 The New Daily.
All rights reserved.