%20(8).png?width=2500&height=256&name=Monthly%20newsletter%20section%20dividers%20-%20April%202025%20(1250%20x%20128%20px)%20(8).png)
Hi Claudia,
I wanted to share a commentary from Cybernews’ Aras Nazarovas on 23andMe's privacy risks.
In his commentary, Aras explores:
- The threat of combining genetic data with personal survey responses, creating highly detailed user profiles that can be exploited.
- The broader risks of data misuse, citing Cybernews research on the high incidence of healthcare data breaches in the US (65% of the top 100 hospitals have had a breach).
- The role of AI in cross-referencing data, making it easier to reverse-engineer identities from anonymized information.
You can find the full commentary below. Feel free to either publish the entire piece or quote certain parts.
Also, let me know if you’d like to speak with Aras for exclusive insights, including the recent Cybernews research of US hospitals and health systems.
Kind regards,
PR Manager at Cybernews
Email: zivile.kasparaviciute@cybernews.com
WhatsApp: +37067155862
The Unseen Dangers of 23andMe’s Collapse: A White-Hat Perspective
By Aras Nazarovas
Aras Nazarovas, Information Security Researcher at Cybernews
As soon as 23andMe filed for bankruptcy, concerns about its vast genetic and personal data exploded. Shortly after, a US judge ruled the company could sell its consumer data as part of the bankruptcy, triggering alarms about the potential misuse of sensitive information.
While most focused on the genetic data, the real privacy risk lies in the personal survey information the company has collected. From health details to lifestyle habits, these seemingly harmless answers now pose a far bigger threat – especially when combined with genetic data that customers thought was anonymous.
Genetic Data: Not Just a Sample, but a Security Risk
When customers sent their DNA to 23andMe, they handed over more than just a biological sample. They gave up a detailed profile of their genetic traits, health risks, and family history. While this data could benefit researchers, it also creates a security risk if misused.
But the threat goes beyond genetics. 23andMe also collected vast amounts of personal survey data. Over 85% of users consented to share sensitive information about their health, habits, and even personal vulnerabilities like drinking habits and risk tolerance. Combined with genetic data, this creates a highly detailed user profile.
This dual-threat – genetic data plus personal survey responses – makes 23andMe’s database a target for corporate espionage, identity theft, and geopolitical manipulation.
The Privacy Problem of Personal Survey Data
While much of the public's concern centers around the sale of genetic data, the more pressing issue lies in the wealth of personal survey data 23andMe has collected. This information – about things like health conditions, mental health, and even lifestyle preferences – is much more personal than many realize. It's information that, if mishandled or sold to the wrong entity, could be used for targeted advertising, manipulation, or even discrimination.
For example, if the data were to be accessed by life insurance companies, it could lead to discriminatory practices based on genetic predispositions or health risks. Personal insights gleaned from survey answers could be used by marketers or even government agencies to build detailed profiles for manipulation or surveillance.
One need only look at the case of GEDmatch, where law enforcement used genetic data to apprehend the Golden State Killer, to understand the potential dangers of unrestricted access to this kind of information. In 2018, police uploaded an old crime scene blood sample to GEDmatch, which matched with a distant relative in the database. This violated the platform’s privacy policies but led to a successful arrest. The situation raises an uncomfortable question: could 23andMe’s data one day be used similarly, for criminal investigations or, worse, for government surveillance?
Survey Data: The More Dangerous Asset
While the sale of genetic data poses obvious risks, the survey data that 23andMe holds is arguably just as, if not more, dangerous. This is the information that reveals a person’s lifestyle choices, mental health, vulnerabilities, and social behaviors. As pointed out by prof. Kayte Spector-Bagdady, personal insights about a person’s fears, hopes, and limitations are not just valuable to the company that collects them – they’re valuable to anyone willing to exploit them.
Take, for instance, data related to a person’s mental health or social habits. This can be used to target them with manipulative advertisements, exploit their emotional vulnerabilities, or even sell them products they don’t need. As we’ve seen with social media platforms like Facebook, where user data is harvested to influence consumer behavior, the stakes for privacy are high.
The risks of data abuse are not just hypothetical. Cybernews research shows that healthcare data breaches are very common, with 65% of the 100 largest US hospitals and health systems experiencing a recent breach. The fact that 79% of these institutions scored poorly on cybersecurity underlines just how vulnerable sensitive information can be. If health systems, managing far less detailed data, are prone to breaches, the risks with 23andMe’s wealth of personal and genetic information are similarly significant.
When combined with other data points available on the internet, such as a dating profile, social media activity, or even a medical record, the survey data from 23andMe creates an incredibly detailed picture of an individual. This could lead to personalized attacks, cyberbullying, or financial fraud, as well as more insidious forms of manipulation by those with access to such data.
AI, Data Cross-Referencing, and the End of Anonymity
The risks are compounded by advances in AI and data analytics, which can cross-reference genetic and survey data with public records, social media, and other databases. This combination of machine learning and vast datasets makes it possible to identify individuals with high precision, even when their data is supposed to be anonymized.
For instance, while 23andMe assures consumers that their data is protected, the reality is that AI can reverse-engineer identities from anonymized data.
ABOUT THE EXPERT
Aras Nazarovas is an Information Security Researcher at Cybernews, a research-driven online publication. Aras specializes in cybersecurity and threat analysis. He investigates online services, malicious campaigns, and hardware security while compiling data on the most prevalent cybersecurity threats. Aras along with the Cybernews research team have uncovered significant online privacy and security issues impacting organizations and platforms such as NASA, Google Play, App Store, and PayPal. The Cybernews research team conducts over 7,000 investigations and publishes more than 600 studies annually, helping consumers and businesses better understand and mitigate data security risks.
Previous Cybernews research:
- Cybernews researchers analyzed 156,080 randomly selected iOS apps – around 8% of the apps present on the App Store – and uncovered a massive oversight: 71% of them expose sensitive data.
- Recently, Bob Dyachenko, a cybersecurity researcher and owner of SecurityDiscovery.com, and the Cybernews security research team discovered an unprotected Elasticsearch index, which contained a wide range of sensitive personal details related to the entire population of Georgia.
- The team analyzed the new Pixel 9 Pro XL smartphone’s web traffic, and found that Google's latest flagship smartphone frequently transmits private user data to the tech giant before any app is installed.
- The team revealed that a massive data leak at MC2 Data, a background check firm, affects one-third of the US population.
- The Cybernews security research team discovered that 50 most popular Android apps require 11 dangerous permissions on average.
- They revealed that two online PDF makers leaked tens of thousands of user documents, including passports, driving licenses, certificates, and other personal information uploaded by users.
- An analysis by Cybernews research discovered over a million publicly exposed secrets from over 58 thousand websites’ exposed environment (.env) files.
- The team revealed that Australia’s football governing body, Football Australia, has leaked secret keys potentially opening access to 127 buckets of data, including ticket buyers’ personal data and players’ contracts and documents.
- The Cybernews research team, in collaboration with cybersecurity researcher Bob Dyachenko, discovered a massive data leak containing information from numerous past breaches, comprising 12 terabytes of data and spanning over 26 billion records.
- The team analyzed NASA’s website, and discovered an open redirect vulnerability plaguing NASA’s Astrobiology website.
The team investigated 30,000 Android Apps, and discovered that over half of them are leaking secrets that could have huge repercussions for both app developers and their customers.