Welcome

Welcome to the official publication of the St Andrews Foreign Affairs Society. Feel free to reach out to the editors at fareview@st-andrews.ac.uk

The 23andMe Cyber Security Disaster: Geopolitical Implications of Genetic Privacy

The 23andMe Cyber Security Disaster: Geopolitical Implications of Genetic Privacy

All seven independent members of the 23andMe board resigned collectively just two weeks ago—leaving CEO Anne Wojcicki to fend for herself. To be clear, Wojcicki allegedly failed to offer an ‘actionable proposal that is in the best interests of the non-affiliated shareholders,’ prompting their departure. Though her company has turned little profit since going public in 2021, their cybersecurity disaster likely affected this decision and further exacerbated the company’s descent.  

23AndMe is one of the giants of the growing direct-to-consumer genetic testing services, offering a peek into ancestry, health risks, family health history, and wellness. Nearly a year ago, 23andMe fell victim to credential stuffing, a tactic where criminals use login credentials from previous data breaches to access other accounts. In this case, attackers obtained the genetic and lineage information of around 6.9 million users—including full names, home addresses, and birth dates. The data collected was then sold on the dark web, targeting individuals of Chinese and Ashkenazi Jewish heritage. In January 2024, customers filed a class action lawsuit against the company, claiming that 23andMe failed to protect their privacy. This September, 23AndMe finally settled for $30 million USD.  

Hackers targeted the website for five months before discovery on October 1, 2023. This discovery was not a consequence of their security measures, but rather because the main perpetrator, a hacker called Golem, shared proof of customer information on a subreddit. Despite settling, 23AndMe denies all wrongdoing and liability, blaming the customer for poor security practices. Though responsibility falls on the customer to create a complex, original password, the company grossly mishandled the privacy violation, delaying notifying those of Chinese and Ashkenazi Jewish heritage that they were purposefully targeted.  

Founded for the greater good—to help people access, understand, and benefit from the human genome and fundamentally change healthcare—23andMe can become a tool easily manipulated to negatively affect its customers. As more curious individuals eagerly share their genetic data with companies like 23andMe, concerns about data sovereignty arise. Storing data within the physical boundaries of the country where it originated becomes increasingly difficult—the internet knows no physical limits and operates as a global tool. The data breach and the subsequent lawsuit call for strict regulations on genetic data companies, and a potential reassessment of how they deliver results to users. Ramesh Srinivasan, a professor of information studies at the University of California, warns that these types of breaches are likely to continue.  

Canadian Privacy Commissioner Philippe Dufresne and U.K. Information Commissioner John Edwards joined forces this June to reiterate these privacy concerns. Edwards emphasised that ‘people need to trust any organisation handling their most sensitive personal information.’ His Canadian counterpart expressed his unease with genetic information landing ‘in the wrong hands.’ The commissioners' statements reflect a broader issue: the need for stronger global cybersecurity measures as datafication—the process of turning lives into digestible data—becomes the new norm.  

The violation of 23AndMe extends beyond creating difficult-to-crack passwords. Those targeted easily find themselves at the centre of growing political tensions. Just before hackers began to access the 23AndMe database in 2023, the United States charged 40 Chinese officers for their transnational repression scheme acting within the country. China has a long track record of repressing dissidents, abroad and at home. The information stolen from 23AndMe allows these intelligence agencies to continue to silence those who actively critique and question the state’s authority. Beyond defiant citizens, access to genetic data could be leveraged to track and target specific ethnic and religious groups historically oppressed by China, such as Tibetans, Uyghurs, and other minorities.  

Those of Ashkenazi Jewish descent face a similar danger. Amid escalating conflict in the Middle East and the subsequent rise of antisemitism, many customers of Ashkenazi Jewish heritage expressed fear for their safety. Both Chinese and Jewish identities frequently become tools of oppression or conflict for extremists. Though 23andMe was founded to support people in their journeys of self-discovery, the company failed to execute adequate measures or take accountability to help those same people in the aftermath of the breach.  

The 23andMe leak highlights a new and strange reality: digital vulnerabilities and genetic data pose significant risks to both customers and greater global security. Their misconduct after the incident demonstrates a need for tighter oversight in private and public companies to safeguard consumers in the digital age. In this case—and inevitably in the future—user privacy and the political state of the national and international systems overlap. Personal information becomes a political weapon, exploited in the name of state surveillance, targeted attacks, and even systemic discrimination. Genetic testing companies are growing in popularity and must establish stronger accountability mechanisms, as these fated breaches risk becoming fuel for the more sinister uses of technology.  


Image Courtesy of Hong Chong Bum via Flickr, ©2008, some rights reserved. 

The views and opinions expressed in this article are those of the author and do not necessarily reflect those of the wider St. Andrews Foreign Affairs Review team.

QUAD and India: From a “Weak Link” to a Strenghtened Partnership

QUAD and India: From a “Weak Link” to a Strenghtened Partnership

Your Country Needs You: The Return of Conscription to Europe

Your Country Needs You: The Return of Conscription to Europe