this post was submitted on 05 Dec 2023
582 points (99.5% liked)

Technology

59385 readers
2892 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

23andMe confirms hackers stole ancestry data on 6.9 million users::Genetic testing company 23andMe revealed that its data breach was much worse than previously reported, hitting about half of its total customers.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 139 points 11 months ago* (last edited 11 months ago) (6 children)

Would you let government collect DNA from people when they are born? Absolutely not, but I will definitely give it to a silicon valley start up who will then proceed to sell it and have it stolen.

[–] [email protected] 55 points 11 months ago (2 children)

If you're allowing a corporation to have it, you are giving de facto consent for government to collect it with zero regard for your rights whatsoever.

They have the greatest ability to buy it, the greatest ability to steal it, and a fairly unique ability to confiscate it.

load more comments (2 replies)
[–] [email protected] 4 points 11 months ago* (last edited 11 months ago)

I don't see how government vs private makes any difference.

A baby isn't capable of informed consent, so their DNA shouldn't be collected unless it's required for some medical reason (and then the sample should be immediately destroyed and no records kept).

If an adult, however, wants to voluntarily give these folks a DNA sample... well that's their choice. I'm not surprised it ended poorly.

load more comments (4 replies)
[–] [email protected] 81 points 11 months ago (30 children)

My gf wanted so bad for me to send my DNA to these clowns. I declined due to privacy reasons. She tried to convince me that they keep your info private. I told her that even if that was true, the government could still access it. She thinks I'm paranoid. And now her personal info is likely part of this leak.

[–] [email protected] 45 points 11 months ago

Lucky for you, if enough of your relatives send in their DNA they don't need to get anything from you directly.

[–] [email protected] 21 points 11 months ago* (last edited 11 months ago) (2 children)

My mother had breast cancer. I couldn't get a test to see if it was the inheritable one because then I would have to disclose it as pre-existing for the rest of my life. (For the record my mom took the genetic test and it was negative).

This is just one example.

What if in future, your insurance price depended on an inheritable diseases DNA clearance. You could refuse but then it would be $$$$$. What if my life insurance refused to pay upon my death because I had knowledge of a gene that causes cancer when I took out the policy?

PS not American.

[–] [email protected] 8 points 11 months ago

They’ll almost surely attempt this, but it will be much less clear cut on it. There’s federal law against discriminating on the basis of genetics, so they can’t explicitly charge more for it.

But you better believe it’ll be a component in a deep learning insurance adjustment model that charges you more and just tells you the model says so — I’d expect this to occur and a court case to happen.

load more comments (1 replies)
[–] [email protected] 10 points 11 months ago (2 children)

If you've ever had blood work done at the doctors office or had any tissue removed, your DNA is almost certainly on file somewhere. Human specimens are very valuable in research so whatever isn't needed for testing is sent off to various research facilities. There really aren't laws about tissue ownership so medical facilities can do whatever they like without your permission, though some still ask. Source: "The Immortal Life of Henrietta Lacks"

[–] [email protected] 8 points 11 months ago

This is only partially true. Due to things like Henrietta Lacks cells (HeLa cells for those working in cell culture), we actually have informed consent around this. They can’t just use your samples for not consented collection purposes (though in some cases, the further testing may fall under the original consent)

HHS rules note:

“If the tissues are identifiable, then subjects must provide consent for the secondary use and that consent must cover the elements of consent in 21 CFR 50.25.”

That really only applies to healthcare providers covered under FDA and HIPAA regs.

Obligatory not a lawyer etc.

load more comments (1 replies)
load more comments (27 replies)
[–] [email protected] 53 points 11 months ago (1 children)

Didn't they originally try to brush this off as credential stuffing and aggregation?

There should be harsher penalties around mishandling people's data, especially if you lie about it to save face.

[–] [email protected] 22 points 11 months ago

There are very big penalties in the EU for that.

[–] [email protected] 40 points 11 months ago* (last edited 11 months ago) (2 children)

Good thing that these things haven't really taken off in my home country. Otherwise, you don't even need to submit your DNA. If enough of your stupid relatives do it, they'll have a good idea about you.

[–] [email protected] 12 points 11 months ago

My uncle did this and I found out that I'm 3% Irish. As a Gamer, this is a Clayton Bigsby moment.

[–] [email protected] 37 points 11 months ago (2 children)

Two days ago they sent an update to their TOS that they will require arbitration and to reply to their legal department to "opt out".

[–] [email protected] 15 points 11 months ago (1 children)

I got the email from 23 and me about changing their terms of service as well (wordy for search engine optimization). I opted out of the change

[–] [email protected] 4 points 11 months ago

Thank you. Done.

[–] [email protected] 11 points 11 months ago

Probably not legal, but if it doesn't get challenged...

[–] [email protected] 35 points 11 months ago (1 children)

Instead of them selling it.

[–] [email protected] 4 points 11 months ago (3 children)

Supposedly not selling it...

load more comments (3 replies)
[–] [email protected] 34 points 11 months ago (3 children)

data on 6.9 million users

Nice.

load more comments (3 replies)
[–] [email protected] 34 points 11 months ago (3 children)

So I got an email today telling me that I would automatically accept their new ToS (which included barring me from class action lawsuits without 1-2 months of arbitration), but I could email them to refuse the change and keep the old ToS. I emailed them to refuse the change, was that a mistake?

[–] [email protected] 27 points 11 months ago* (last edited 11 months ago) (2 children)

I find it hard to believe "not responding to an email" is consent. I mean they can write that in an email but there's no way they could hold you to that in court.

[–] [email protected] 5 points 11 months ago* (last edited 11 months ago) (2 children)

If the original contract has provisions for changing it in this manner then it might hold up in court. But of they didn't have the foresight to include mandatory arbitration to begin with that's unlikely the lawyers who drafted it thought that far ahead.

What I'm curious about is if my brother's DNA was stolen. Do I have the right to sue for negligent handling of data that's as much his as mine?

load more comments (2 replies)
load more comments (1 replies)
[–] [email protected] 10 points 11 months ago
load more comments (1 replies)
[–] [email protected] 29 points 11 months ago

And this, children, is why we don't give deeply personal data to companies.

[–] [email protected] 24 points 11 months ago

So hackers can have my info, but I can't have a copy of my own data.

[–] [email protected] 24 points 11 months ago (1 children)

Hey, at least they weren't put in the Jewish Database.

load more comments (1 replies)
[–] [email protected] 13 points 11 months ago (6 children)

Yet more evidence that we shouldn't be handing over sensitive data to random companies. Will this change anyone's behaviour? Sadly, probably not.

load more comments (6 replies)
[–] [email protected] 10 points 11 months ago (2 children)

The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location.

23andMe also confirmed that another group of about 1.4 million people who opted-in to DNA Relatives also “had their Family Tree profile information accessed,” which includes display names, relationship labels, birth year, self-reported location and whether the user decided to share their information, the spokesperson said.

This is of course bad but is everyone thinking that actual DNA information was copied or what? That's what it seems like from y'all's comments. I mean that's a pretty easy leap to make, it's a DNA testing company after all, but they seem pretty specific on what data got out. I don't immediately see that this specific information is worse than say what a credit reporting agency has on you.

[–] [email protected] 8 points 11 months ago

I can see someone nefarious blackmailing people that discovered they accidentally married their long lost sister or those who found out their father cheated on their mother or something.

[–] [email protected] 4 points 11 months ago

The relatives thing is weird anyway. I took the 23andMe test and downloaded my raw data and wrote a script to find different marker values. The other info I provided the site probably isn't accurate. Don't really care if someone gets my DNA markers either cause DNA isn't like what most people think it is.

[–] [email protected] 7 points 11 months ago

Wait for the new wave of digital parenitity blackmail. Dear X, we see you have two children. We will let Z Y Q from Facebook know if you don't send eleventy itunes gift cards to.....

[–] [email protected] 4 points 11 months ago

This is so predictable. Large databases are valuable targets for theft.

It seems like the vulnerability at 23 was users who used the same password on another site.

Presumably the attackers had those databases (easy to obtain peeps, thats why we use different passwords and password managers) and a good script that let them login and download. Probably over a whole lot of proxy IPs, so it was hard for 23 to see that they were under attack for a while.

Don't know what else to say... Maybe 2 factor authentication should be more common. I guess with them you could spit on your monitor and it should log you in.

If that's the only issue it seems a bit of a far reach to say they were breached.

load more comments
view more: next ›