Data breach sparks DNA test privacy concerns

Genealogy service MyHeritage has revealed that some of their user account data has been hacked. 

Concerns over the safety of DNA testing services were raised last week, when email addresses and hashed passwords of more than 92 million users were found by an independent security expert on a private server located outside of the company. This caused particular alarm as MyHeritage also offers consumer genetic tests, although there is no evidence to suggest that any sensitive genetic information was compromised.

'When you put DNA and privacy together in a sentence, understandably and correctly, it makes people nervous', Laura Hercher, director of research in Human Genetics at Sarah Lawrence College, New York, told Stat News.

The MyHeritage security team reported that DNA information is stored on a segregated system, behind additional layers of security, and that payment information is hosted via third-party billing services. As the passwords stored were hashed – a process which converts passwords to seemingly random characters – MyHeritage claims it is unlikely that hackers have been able to use the email addresses to log in to this or any other services. 

The hacked data only runs up to the end of October 2016, suggesting that this was the date of the breach. This further reduces the chances of any DNA data being compromised, as MyHeritage did not offer consumer DNA testing at that time. 

Once data has been compromised in a breach, it is often impossible to determine whether it has been shared to a wider audience. This contributes to the worries some experts have about DNA data, which could be used to discriminate against people and their relatives seeking medical insurance or other services. 

'You can imagine the consequences,' Professor Giovanni Vigna, a cybersecurity expert at the University of California Santa Barbara, told The Verge. 'One day, I might apply for a long-term loan and get rejected because deep in the corporate system, there is data that I am very likely to get Alzheimer's and die before I would repay the loan.'

However, Hercher pointed out that many of the possible problems of DNA data misuse are as yet theoretical: 'I would rather give someone my DNA than my social security number, my search history, or my credit card.'

Israel-based MyHeritage report that they will be upgrading to two-factor authentication soon, and suggests that users change their password in the meantime.

More than 9 million samples have been processed across three of the top direct-to-consumer genetic test companies: Ancestry, 23andMe and MyHeritage. Each company is reporting continued growth.