MyHeritage, a leading DNA-testing company based in Israel, on Monday announced that a security researcher had found email addresses and hashed passwords for more than 92 million of the company's customers on a private server.
Millions of U.S. residents submit their DNA to testing companies—such as MyHeritage—with the hopes of gaining information about their family history. And while the latest breach did not include any health data, the Washington Post's "The Switch" notes that it comes on the heels of "a seemingly endless string of data breaches" affecting companies across different sectors, and shines a light on the risks presented by databases that house customer information.
According to STAT News, researchers in a 2017 study concluded that genetic testing sites could be vulnerable to hacks that expose personal genetic information.
The breach occurred on Oct. 26, 2017, though the company said it was not aware of the incident until Monday, June 4, when the researcher who discovered the breach contacted MyHeritage's chief information security officer, Omer Deutsch.
Once MyHeritage received the researcher's alert, it analyzed the file the researcher sent and confirmed the contents were legitimate and came from MyHeritage. The company did not explain either how the breach happened or how the intrusion went undetected for seven months.
According to MyHeritage, the breached information includes email addresses and hashed passwords for the 92,283,889 users who created accounts before Oct. 27, 2017. MyHeritage said no other data were compromised. The company said it does not store credit card information, and that DNA information and family trees are not housed on the server that stores email addresses. In a statement, MyHeritage said, "There has been no evidence that the data in the file was ever used by the perpetrators."
MyHeritage said it is "taking immediate steps" to have an independent cybersecurity firm investigate the breach and determine the scope. In addition, the company has established a 24/7 support team to respond to customer questions.
Further, MyHeritage has advised users to change their passwords. The company also said it's working faster to launch two-factor identification.
In a statement to customers, MyHeritage said, "As always, your privacy and the security of your data are our highest priority. We continually assess our procedures and policies and seek new ways to improve our approach to security. We understand the importance of our role as custodians of your information and work every day to earn your trust."
Laura Hercher, a professor at Sarah Lawrence College who teaches about genetics and ethics, said, "When you put DNA and privacy together in a sentence, understandably and correctly, it makes people nervous." However, she added that the MyHeritage breach doesn't seem different than breaches at companies that don't use genetic information.
Hercher said, "I would rather give someone my DNA than my social security number, my search history, or my credit card" (Kelly, The Verge, 6/5; MyHeritage statement, 6/4; Shaban, "The Switch," Washington Post, 6/5; KrebsonSecurity, 6/5; Thielking, STAT News, 6/5).
Advisory Board's take
While it appears that this breach exposed only account-related information, the potential targeting of the sensitive information that MyHeritage and other ancestry or DNA firms collect should serve as a warning for all health care organizations who store DNA data—especially providers who see personalized and precision medicine as the future of patient care. To earn consumers' trust, providers must have a strong security program in place that their board and all executive leaders are willing to stand behind.
The C-suite and board must ensure that the organization's security plan aligns with and supports its overall strategy. Leading organizations recognize this requires investment in, but also beyond, just technical capabilities.
Therefore, all executives need to play their key role in a way that matches the organization's overall cybersecurity plan. The CIO and CISO will be critical partners, but they can't be left to lead the charge all on their own—others must support them. For example:
- The board can ensure mechanisms in place to track security status and progress;
- The CEO can include cybersecurity in due diligence of any M&A or partnership activity;
- The CMO and CNO can make the clinical voice heard in the organization's security governance;
- The CFO can ensure funding requests for security tools and services are vetted against a security strategy and roadmap;
- The COO can ensure business continuity plans are in place, tested, and work well across all shifts; and
- The CHRO can ensure the security team has the necessary staff to operationalize its security strategy.
Check out our brand new cybersecurity cheat sheet series which outline what executives in every role should be doing—and the key questions they should be asking—to help their organizations stay secure.