In an SEC filing on Friday, Dec 1, genetic testing company 23andMe provided some, but not all of the details around a compromise first reported in Oct. Alarmingly, in the intervening weekend since the SEC report, the compromise of 14,000 users, or 0.1% of the customer base, has grown into nearly 7 million “affected” users, or half of the customer base. This is due to the sharing of profiles and genetic data between users and their relatives or potential familial connections. The reports state:
- The initial 14,000 users exposed “ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.
- 5.5 million people who had opted-in to the “DNA Relatives” sharing feature had exposed information including name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location
- An additional 1.4 million people who opted-in to “DNA Relatives” also “had their Family Tree profile information accessed,” which includes display names, relationship labels, birth year, self-reported location and whether the user decided to share their information
With news awash in all types of breaches on virtually a daily basis, some will put this on the ever growing pile of “Personally Identifiable Information” or PII exposures, and/or focus on the supposed password reuse that was the catalyst for the initial compromise. However, we wanted to go a little deeper. We asked Alethe Denis, a Bishop Fox Senior Red Team consultant and Social Engineering expert, for her quick take perspectives on what she sees as different about this breach, and how it’s viewed by someone who is a career social engineer. With regards to the specifics of what data is available and the connective threads between users, Alethe offers up how she would approach using the information to underpin a social engineering campaign, some of the creative and specific things she’d consider, and and for what she would counsel 23andMe users to be on the lookout.