Last month, a data breach at 23andMe sent shockwaves through the digital world. Sensitive records of over five million users were exposed in a breach at the genetic testing and ancestry company. The records included the users’ names, dates of birth, geographical locations, and genetic ancestry results.
The worst part of this breach was that the threat actor specifically targeted users of Ashkenazi Jewish and Chinese backgrounds. At least one million data profiles of individuals with the former ancestry and hundreds of thousands of individuals with the latter found their way into the black market.
This is not the first such incident. Earlier this year, there was a breach in the PSNI, leading to the names of police and civilian personnel getting into the hands of bad actors.
The 23andme breach, however, highlighted a deeper issue that extended beyond this specific incident. It was not a traditional hacking of servers. Instead, hackers targeted individual user accounts to get to the “DNA relatives matches” function. This feature allowed them to access information about thousands of others, demonstrating a significant challenge in modern data privacy.
The Interconnected Nature of Genetic Databases Creates Problems
Genetic databases have a special characteristic: they disclose information about others who have similar genetic traits. When someone submits their genetic data to companies like 23andMe, that information inevitably includes data about their relatives. And, that’s even if those relatives never consented to data collection.
The 23andMe data breach underscores the collective impact of individual data decisions. User agreements for data collection can lead to indirect harm to third parties. And, the negative effects of data practices can extend far beyond those whose data was directly collected. Data analytics and AI algorithms rely on interconnected datasets to make inferences and predictions, affecting entire groups of individuals.
This interconnected nature of data has far-reaching implications beyond genetics.
The equity issues arising from this interconnected data are significant. Hackers are offering lists of people with Ashkenazi Jewish ancestry for sale, increasing the risk of discrimination or harassment.
Similarly, individuals with certain genetic predispositions—Type 2 diabetes, Parkinson’s disease, or dementia, for example—are at risk of other consequences. These range from insurance premium hikes to employment discrimination.
The Growing Importance of Data Protection
23andMe’s data breach reminds us that we need to update our approach to data privacy as the information economy becomes more complex. Privacy laws should acknowledge the interconnected nature of data and the collective impact of data decisions. Providing consent on behalf of others—as 23andMe users did when they agreed to terms—should be scrutinised more closely to avoid collateral damage.
As corporate data practices can impact everyone, the obligation to protect individuals should extend to broader interests beyond individual consent. We need clear rules to prevent harm to group data. We also need them to protect the privacy and security of individuals in the digital age. These rules should specify what companies are allowed and not allowed to do.
Data protection is now more crucial than ever due to the increasing volume, variety, velocity, and veracity of data. Recent statistics show that only 4% of IT and security leaders believe all of their cloud data is adequately secured. That indicates a concerning lack of protection for sensitive data.
This low level of data protection has led to the emergence of Data Security Posture Management (DSPM). This is a field focused on identifying security gaps and remediating over-exposed data. However, many DSPM solutions, particularly new entrants to the market, are incomplete. They struggle with issues like limited discovery and classification capabilities, poor user access mapping, and inadequate data flow tracking.
Key Elements of Robust DSPM Solutions
Robust DSPM, as highlighted by experts at BigID, provides several key elements to address these issues, especially in cloud and hybrid data environments:
Discover Your Data: The fundamental first step in securing sensitive data is to know where it resides and what it contains. That ensures comprehensive coverage and support.
Map User Access to Data: Understanding who can access the data and addressing inappropriate permissions is crucial. Access governance features can help identify over-privileged users and overexposed data. That helps organisations swiftly address these threats and prevent data breaches.
Track Data Flows: Knowing the source and flow of data is essential for data security. Features like lineage integrations enable customers to understand data flows and protect sensitive data effectively. This includes deep metadata discovery and real-time capabilities to monitor changes.
Protect Against Data Exposure: To mitigate security concerns, DSPM solutions provide the ability to control user access and data usage. Remediation and access intelligence tools reduce data exposure and privileged access, improving security and access management.
Assess and Report: Reliable DSPM providers offer a basis for evaluating data security. For instance, user-friendly dashboards and automated risk assessments to ensure ongoing visibility and compliance with policies.
The 23andMe data breach serves as a stark reminder that data breaches can have far-reaching consequences. This is especially true when sensitive genetic and personal information is involved. Robust DSPM solutions are critical in helping organisations address these challenges. They help protect sensitive data and prevent data breaches that can lead to harmful consequences for individuals and communities.
Parul Mathur has been writing since 2009. That’s when she discovered her love for SEO and how it works. She developed an interest in learning HTML and CSS a couple of years later, and React in 2020. When she’s not writing, she’s either reading, walking her dog, messing up her garden, or doodling.