Connecticut attorney general presses 23andMe for data breach answers
The breach exposed Chinese and Ashkenazi Jewish user info on the dark web.
A data breach at the genetic testing and ancestry company 23andMe resulted in the black market sale of at least one million data profiles of people with Ashkenazi Jewish heritage and hundreds of thousands of individuals with Chinese ancestry, authorities said Tuesday as they announced an inquiry.
Connecticut Attorney General William Tong is seeking details of the data breach that exposed sensitive records for more than five million users, including specifically those of Ashkenazi Jewish and Chinese heritage.
23andMe revealed earlier this month that customer profile information shared through the company's DNA Relatives feature had been accessed without authorization. "This resulted in the compilation and exposure of individuals' names, sex, date of birth, geographical location, and genetic ancestry results," Tong said in a letter addressed to Jacquie Cooke, 23andMe's general counsel and privacy officer.
"Troublingly, the threat actor involved has posted sample data indicating that the 23andMe attack was targeted at account holders with specific genetic heritage," said Tong.
Tong's letter declares the data breach "resulted in the targeted exfiltration and sale on the black market of at least one million data profiles pertaining to individuals with Ashkenazi Jewish heritage," as well as "hundreds of thousands of individuals with Chinese ancestry."
"The increased frequency of antisemitic and anti-Asian rhetoric and violence in recent years means that this may be a particularly dangerous time for such targeted genetic information to be released to the public," Tong's letter to 23andMe said.
23andMe has not yet submitted a data breach notification to the Office of the Attorney General, which is required under Connecticut's data breach notification law, according to the letter, which also notes the company has 60 days to do so "after discovery of the breach."
The letter further said the breach calls into question the company's compliance with the Connecticut Data Privacy Act, which "provides Connecticut consumers with important rights over their personal data and imposes corresponding privacy and data security obligations on companies that maintain and process personal data."
"23andMe is in the business of collecting and analyzing the most sensitive and irreplaceable information about individuals, their genetic code. This incident raises questions about the processes used by 23andMe to obtain consent from users, as well as the measures taken by 23andMe to protect the confidentiality of sensitive personal information," the letter said.
The letter goes on to make 14 specific requests for information from 23andMe, with a November 13 response deadline. The requests include the number of people affected by the breach, including Connecticut residents; the types of information compromised and whether it was exposed online; whether the company will officially notify affected Connecticut residents of the breach; a timeline of the data breach; any current or developing "plan, policies, and/or procedures" to prevent a future breach; and more.
In response to ABC News' request for comment, a 23andMe spokesperson said: "As this is an ongoing security investigation, we don't have any additional comment to provide other than what we've shared on our blog. We will continue to update the blog with more information as it becomes available."