Recently, DNA testing packages gifts are shifting more popular. This ancestry testing business has grown into a $99 million industry. However, the next enigma is the sensitivity of the DNA information they collect has boosted privacy alarms. Unfortunately, for now, DNA results from genetic testing not covered under HIPAA.

Why a DNA data breach is a highly dangerous leak

“This data potentially to be monetized to insurance companies,” says Giovanni Vigna, a professor of computer science at UC Santa Barbara and co-founder of cybersecurity company Lastline. “The possible consequences: If one day, I might get rejected from applying for a long-term loan because deep in the enterprise system, there is data that I am very likely to die before I would repay the loan because of deadly ailment.” Also, even more parties are getting interested with the DNA reports, insurance organizations want it to help them determine the cost of health insurance, researchers want it for experimental studies, and police want it to help them hunt down criminals, like in the recent Golden State Killer case.

The sites like AncestryDNA, 23andMe,  African Ancestry, Family Tree DNA, National Geographic, and MyHeritage lets users submit their DNA, build family trees, search historical records and hunt for potential relatives. An extensive database is a differentiator which contributes to accuracy to solve a paternity dispute.

Founded in Israel, MyHeritage as the ancestry testing site launched a service in 2016 that lets their registered customers send in a saliva sample for the genetic interpretation. MyHeritage was advertising a $59 test kit that would help the user uncover ethnic roots and find new relatives. As of mid-2018, the company is known to have 35 million family trees on its website, 96 million users, and 1.4 million users that have taken the DNA test.

How The Breach Confirmed

On June 4, 2018, at approximately 1 pm EST, MyHeritage’s Chief Information Security Officer, Omer Deutsch received a message from not named security researcher. As ruled by EU’s GDPR, MyHeritage announced the breach in the same day it found out about it. According to EU’s GDPR legislation, companies activating in the EU to disclose any security incident within three days of finding out.

This security researcher notifies that he had found a file with name “MyHeritage” containing email addresses and one-way hashed password (not a plain text password) of 92,283,889 users, and located on a private server outside of MyHeritage. This incident marks the most significant data breach of the year and the most significant leak since last year’s Equifax hack.

After further examination, their security team confirmed that the file contents originated from MyHeritage contained with the email addresses and hashed passwords of registered users who signed-up before October 26, 2017. There is no exact information about when the actual data breach happens. Moreover, there is no evidence that for around seven months the perpetrators have used the infiltrated accounts to gather more private information and other additional data. Although the salt used for hashing process is unique per users, still it isn’t clear what hashing algorithm MyHeritage used to encrypt the passwords.

MyHeritage confirmed that the breach’s damage was limited. It only affects data of email addresses and hashed passwords. Besides, the salt used to create hashed password differs for each user to make more resilient to cracking. Other information such as family trees and genetic data stored on a separate system with added layers of security, and there is no evidence that these data had accessed without authorization.


Post Incident Response

According to MyHeritage, shortly upon learning of the incident, they set up an Information Security Incident Response Team to hire an independent cybersecurity firm. This firm help to probe the breach and provide recommendations to MyHeritage about how to prevent future security issues. Additionally, they are also speeding up its work to roll out two-factor authentication for its registered users. Until then, MyHeritage advice all of the users to change their passwords immediately.