MyHeritage Data Breach Likely not Focused on Genomic Data

June 19, 2018
MyHeritage Data Breach Likely not Focused on Genomic Data
Source: temniy/Getty Images

Emily Mullin

On June 4, direct-to-consumer genetic testing company MyHeritage announced on its blog that the company experienced a data breach, potentially compromising more than 92 million users’ data. Almost immediately, the announcement made headlines and prompted alarm.

The Israel-based company said the breach didn't involve sensitive data like individuals’ DNA or their family trees, but customers of MyHeritage and other direct-to-consumer DNA tests may still be concerned about the privacy and security of their data. Experts say people should be worried about such data breaches, but not necessarily because their genetic information could end up in the wrong hands.

“People see ‘data breach’ and ‘DNA’ in the same sentence and they freak out. I think that concern, while understandable, is overblown,” says Michelle Meyer, Ph.D., J.D., who is an assistant professor and the associate director of research ethics in Geisinger’s Center for Translational Bioethics and Health Care Policy.

MyHeritage hasn’t commented on whether the breach, which was first brought to the company’s attention by a security researcher, was actually a hacking incident. In its initial June 4 statement, the company said the researcher found a file named “myheritage” on a private server outside MyHeritage. The file contained the email addresses and hashed passwords of 92.3 million users who had signed up to MyHeritage through Oct. 26, 2017, the date of the breach.

A hashed password is a security measure that transforms a password into a random string of characters. Hashing algorithms make a one-way transformation to prevent someone with unauthorized access to the data from turning the hashed passwords back into the original ones. According to MyHeritage, its hash key is different for each customer. Hashing is different from encryption, which can be reversed with the right key.

“We don’t know this was even a hack. It could have be an inadvertent placement of a file, for example,” Meyer says. “Even assuming that this was a nefarious hacker, the motivations for hacking databases is almost never to get at the substantive health data. It’s rather to perpetrate identity fraud.”

Meyer says health databases, such as electronic medical records systems at hospitals, are an attractive source of data for hackers because they can be used to find Social Security numbers and insurance policy numbers. It’s more likely that a theoretical hacker was after users’ credit card information than their genetic data, she says. MyHeritage charges $59 for an initial DNA kit and offers subscription genealogy services ranging from $88.50 to $175.77 annually. MyHeritage says it doesn’t store users’ payment information. Instead, it’s housed by third-party billing providers like BlueSnap and MyHeritage.

In a follow-up statement on June 10, MyHeritage said there’s “no evidence that anything has leaked beyond email addresses and the hashed passwords, which are not actual passwords, and no evidence of any unauthorized access to user accounts and data on MyHeritage.”

In other words, it’s highly unlikely that anyone’s DNA data was leaked. Hypothetically, even if hackers did get access to a person’s genetic information from MyHeritage or another such database, there’s probably little they could do with it, says Robert Green, M.D., a medical geneticist and physician-scientist.

“In reality, there are very few genetic markers that truly point deterministically toward a particular disease and certainly not for complicated psychiatric diseases or personality traits,” says Green, who directs the Genomes2People Research Program at Brigham and Women’s Hospital and Harvard Medical School.

Green’s research, which includes the MedSeq and BabySeq projects, explore how a person’s genomic information can be used in personalized medicine and clinical practice. “At this moment in science, there’s not very much that could be used either for or against you,” he says.

Though Green does imagine a few plausible scenarios in which a person’s DNA data could be exploited. For example, “if you are a politician or a celebrity and you carry genetic markers suggestive of disease, like a BRCA1 mutation or a mutation for another kind of cancer, this information could be used against you.”

Green wrote about what would happen if political campaigns got access to candidates’ genetic information in the New England Journal of Medicine in 2008.

Bad actors could also use genetic information in corporate espionage—say, by trying to discredit a candidate for a CEO position by revealing that he or she has genetic markers for depression or bipolar disorder.

Luis Ceze, a computer scientist at University of Washington who studies computer security, says what the average person is probably most worried about is the potential misuse of genetic information by insurance companies.

In the U.S., the Genetic Information Nondiscrimination Act of 2008, or GINA, protects people from genetic discrimination in health insurance and employment. But that protection doesn’t extend to life, disability, and long-term care insurance. Conceivably, hackers could sell genetic information to life insurance companies, which could turn around and deny people insurance if they have certain variants that put them at higher-risk for certain diseases, such as Alzheimer’s.

Green says the most common reason why people turn down participation in MedSeq, which involves, genome sequencing at no cost to the participant, is because they’re concerned about privacy breaches and the potential for insurance companies to use the information against them. Plus, DNA sequencing has yet to prove benefit for the average, healthy person.

“Weighing uncertain benefits against this pervasive sense of vulnerability to privacy and discrimination discerns is a hard sell,” Green says.

Ceze, who along with his colleagues last year presented a study in which they found security gaps in DNA sequencing tools, says more data breaches like the MyHeritage one are likely to come.

“Data breaches happen all the time,” he says. But ones like the 2017 Equifax breach are likely much more serious than what happened with MyHeritage. In that case, hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, credit card numbers.

Meyer says if people perceive their genetic information isn’t safe, that could dissuade them from joining research studies that collect DNA data, like the National Institutes of Health’s precision medicine initiative, All of Us.