Ranking Member Cassidy Raises Concerns over 23andMe Data Leaks, Potential Targeting of Minority Groups

Letter

"I write with significant concern over the recently disclosed data breach at 23andMe that resulted in the unauthorized disclosure of 1.3 million customers' information being posted on the dark web, including one million customers identified as people of Ashkenazi Jewish descent and 300 million customers identified as people of Chinese heritage. Data included name, sex, birth year, location, photos, health information, and genetic ancestry results. Hackers shared the information online as a database entitled, "Ashkenazi DNA Data of Celebrities." Some entries included well known individuals, such as technology company CEOs. While 23andMe confirmed the breach on October 6, it has yet to provide details about when hackers first exploited vulnerability in its systems.

As one of the largest purveyors of direct-to-consumer genetic tests, 23andMe plays a particularly important role in protecting the identities and privacy of your customers. Genetic information, unlike financial information and other types of identifying information, cannot be changed in response to data breaches. Genetic information is particularly sensitive, carrying health and personally identifying information that can be used against its owners. To this point, one commenter on the posted list proclaimed, "Crazy, this could be used by Nazis." This posting comes at a time of increasing rates of global antisemitism and anti-Asian hate, which can be leveraged to draw higher prices for the information and increase the threat from potential evildoers. Hackers offered these records for sale in the posting for between $1 and $10 each.

Your company's own website describes the potential negative health implications of association with Ashkenazi Jewish ancestry, namely incidence of Gaucher disease, Canavan disease, Tay-Sachs disease, Crohn's disease, and breast, ovarian, and prostate cancer. Such information in the hands of employers, potential employers, foreign governments, hostile actors, and others could be used to discriminate against individuals associated with the group.

The statement released by your company claims that 23andMe's systems did not experience a data security incident, but rather hackers gained access to user passwords and "scraped" more user information through the platform's DNA Relatives feature. Given that your company has 14 million users, the potential for sensitive user data breach is immense and could extend beyond this serious incident. It is critical that you take the necessary precautions to protect your customers from breaches that can have serious impacts on their livelihoods and wellbeing.

I ask that you answer the following questions, on a question-by-question basis, by November 3, 2023:

When did 23andMe become aware of the data breach? What protocols did 23andMe follow once it became aware of the data breach?

When did 23andMe notify users of the data breach? Which users did the company notify and how did it notify them?

What regulatory or contractual obligations and considerations are 23andMe subject to as holders of individual genetic data and the phenotypes evident from such data? Specifically, what privacy, security, and breach notification obligations?

What security protocols, both cyber and physical, does 23andMe have in place? Is 23andMe accredited by any privacy and security organizations? If so, which?

How often does 23andMe conduct audits on its privacy and security protocols? What were the results of the most recent audits?

Why are individual users given access to others' genetic information and profiles, such as through the DNA Relatives Feature? How much access do they have? What types of data belonging to others are accessible?

What search tools and algorithms does 23andMe use to allow large-scale downloads of user data based on specific demographics? How did hackers compile such a comprehensive list of impacted users to the dark web?

How was mass user data, allegedly hundreds of personal accounts per compromised user account, obtained by access to a few individual accounts?

23andMe stated that the hackers that obtained unauthorized data violated its terms of service. How many times has 23andMe found that an entity or an individual violated these terms in the past year and what are the consequences of such a violation?

What is 23andMe doing to remediate the impact of the data breach? How is the company compensating affected users?

What is 23andMe doing to prevent future data breaches or unauthorized disclosure of customer data?"

Source