The world will be transparent. This was the thesis of my last essay, Let’s smile, we’re being filmed!. The reasons are twofold. First, we record and share what is happening around us on an unprecedented scale. Furthermore, the security of information systems cannot compete with the ingenuity of hackers. This prediction is confirmed with the recent data theft from genetic testing company 23andMe.
In 2006, the estimated cost of sequencing a single human genome was approximately $14 million. That same year, Anne Wojcicki launched a company promising to provide direct-to-consumer genetic sequencing for as little as $99. In seventeen years, the company has built a strong brand, withstood the regulatory challenge and ridden the wave of popularity of special purpose acquisition companies (Spacs) to successfully list on the stock market. As of last September, nearly 14 million people had had their DNA sequenced by 23andMe, and 80% of them had agreed to share their results as part of research that could lead to the discovery of new treatments or disease markers.
At the beginning of October, the story becomes complicated. 23andMe reveals that attackers have infiltrated certain user accounts. The company says they took advantage of this access to harvest the personal data of a broader set of users, via the company’s social sharing service DNA Relatives, without specifying how many users were affected. In a document filed in early December with the United States Securities and Exchange Commission, the watchdog of the stock market, the company states that the malicious actor was able to access a very small percentage (0.1%) of the accounts of users. 14,000 isn’t that many people, but that number doesn’t take into account users affected by data recovery via DNA Relatives.
Finally, under pressure from hackers, who have already started selling data on criminal forums appearing to come from at least a million users, the company blurted out that the offensive made it possible to collect the personal data of 6.9 million people, or almost half of the customers. Hackers stole names, most recent connections, relationship tags, predicted relationships, and percentage of DNA shared with DNA Relatives correspondents. But not strictly genetic data.
The company was criticized, both for its lack of transparency and for changing its terms of service related to dispute resolution and arbitration, days after the incident was disclosed. Following the incident, it forced all of its users to reset their passwords and began requiring two-factor authentication for all customers, citing that the attack came from some relying on simple authentication. . But, if we take a step back, this event illustrates how the race against the pirates is lost in advance. It will be even more so as the sharing of user data between companies increases, particularly from social perspectives. Imagine the day when the Google or Meta ID with which you log in to every other service on the web is corrupted.
Conversely, 23andMe’s posture was approved by investors. Its stock price gained 10% in one week. In 2021, professional networking giant LinkedIn saw data associated with 700 million of its users published on a “dark web” forum, including email addresses and phone numbers. Since then, the number of users has grown by 16%. The same year, information about more than 530 million Facebook users hacked in 2019 was published for free, showing that the company had preferred reputational risk to paying the ransom. Already, sites save all leaks and archive them, allowing you to search through them. In the not-so-distant future, tired of this risk, we will accept it and voluntarily choose transparency.
Robin Rivaton is Managing Director of Stonal and member of the Scientific Council of the Foundation for Political Innovation (Fondapol).