Data Breach at 23andMe Exposes Genetic Information of Thousands
A recent data breach at 23andMe, the popular genetic testing company owned by Google, has raised concerns about privacy, data security, and corporate accountability in the information economy. The breach, which occurred on Oct. 6, did not involve hacking into the company’s servers but rather targeted individual user accounts with weak or repeated passwords.
Rather than hacking into the company’s database, hackers gained access to hundreds of individual user accounts and leveraged the DNA relatives matches feature of 23andMe to obtain information about thousands of people who did not use the service. This incident highlights the intertwined nature of genetic information and the potential risks associated with data breaches.
Genetic information databases, like the one maintained by 23andMe, have a unique characteristic. When individuals submit their DNA samples to the company, it not only collects information about that person but also about their relatives who did not provide samples or consent to data collection. This shared information poses challenges for privacy and data security.
The implications of disregarding how personal data affects others extend beyond genetic data. Most data describes shared features between individuals, and every individual choice regarding personal data has spillover effects on others. Consequently, people can be exposed to various consequences, from financial loss to discrimination, resulting from data practices that rely on information about them and others.
Moreover, algorithms powered by artificial intelligence (AI) rely on databases containing information about multiple individuals to draw inferences. Companies analyze data collected from others to make probabilistic assessments about individuals or groups. As datasets like the one possessed by 23andMe grow larger, the choices of individuals not to participate become less significant.
The interconnected nature of data in the information economy raises equity concerns. In the case of the 23andMe data breach, hackers are offering for sale genetic information lists that include thousands of people, increasing the risk of discrimination and harassment. Leaked data containing names and locations could lead to adverse outcomes such as raised insurance premiums or employment discrimination. These risks highlight the need for privacy laws that address the collective impact of data decisions and place obligations on companies to protect individuals and their data.
To prevent group data harms like those resulting from the 23andMe breach, substantive rules are necessary to regulate what companies can and cannot do with data. Prohibitions on indiscriminate data collection and risky data uses can protect unsuspecting individuals from being collateral damage in data breaches. Since corporate data practices have the potential to impact everyone, safety obligations should extend accordingly.
The 23andMe data breach serves as a reminder that the consequences of data breaches are far-reaching and can have significant impacts on individuals and society as a whole. It highlights the need for robust privacy laws and responsible data practices to ensure the protection of personal information and mitigate the risks associated with data breaches.
