Connecticut Attorney General William Tong has sent a letter of inquiry to 23andMe after a data breach last month, expressing concerns about the fallout, as well as the possible ethnicity implications of the stolen data.
On October 6, 23andMe announced that “customer profile information” shared through the company’s “DNA Relatives” feature had been compiled and released using 23andMe accounts accessed without authorization. This resulted in the compilation and exposure of individuals’ names, sex, date of birth, geographical location, and genetic ancestry results.
Three days later, 23andMe said it was working with third-party forensic experts as well as federal law enforcement officials. The company also said it would reach out to customers with more information if they found that their data had been accessed without their authorization.
Then, on October 20, the company announced it had “temporarily disabled some features within the DNA Relatives tool as an additional precaution to protect the privacy of our customers.”
But, in a letter sent to the company Monday, Tong reveals additional information about the threat actor and their motives that 23andMe had not previously disclosed.
Addressing Jacquie Cooke, 23andMe’s General Counsel and Privacy Officer, Tong notes that the threat actor has posted sample data indicated the attack was targeted at account holders with specific genetic heritage.
“More specifically, we understand that the 23andMe breach has resulted in the targeted exfiltration and sale on the black market of at least 1 million data profiles pertaining to individuals with Ashkenazi Jewish heritage,” writes Tong. “Reports indicate that a subsequent leak has revealed the data of hundreds of thousands of individuals with Chinese ancestry, also for sale on the dark web as a result of this hack.”
Given the political and social climate of the last few years—and the increased frequency of antisemitic and anti-Asian rhetoric and violence—the sale and publication of this protected data may be particularly dangerous for many individuals.
Additionally, Tong says23andMe has not submitted a breach notification pursuant to Connecticut’s breach notification statute. This, in addition to other data, leads him to raise 14 questions that he seeks answers to by November 13.
The first few questions address the actual incident, including calls to state the total number of individuals whose data was affected, as well as a breakdown of the categories of personal information/data that were compromised. Tong also asks for clarification on the breach timeline, including when the data exfiltration began and ended, as well as the steps taken following 23andMe’s discovery of the breach.
The next few questions address safeguards, both those in place before the breach—designed to prevent or detect “credential stuffing” attacks—and those implemented or in the process of being implemented to prevent this type of attack from occurring again.
Tong also questions the “DNA Relatives” feature and its opt-in process, as that seems to be the data element that was specifically targeted in this attack.
“Please describe any process or processes under which 23andMe obtains or obtained consent for the ‘DNA Relatives’ feature. Please include screenshots of the exact disclosures and clickthrough screens that have been shown to users prior to receiving their consent to opt in to the ‘DNA Relatives’ feature,” writes Tong.
Lastly, Tong requests a copy of any internal or third-party investigative report or audit performed by or for 23andMe related to the breach.