92 Million MyHeritage Genealogy Accounts Breached. Now What?

by CipherCloud on February 19, 2019

The bad news is that previously 92 million MyHeritage user accounts were compromised. The recent cyberattack on the MyHeritage DNA and genealogy testing company compromised about 92 million user accounts, which makes this breach one of the largest known data breaches in the world. MyHeritage, based in Israel, has maintained that no genetic data was stolen during the cyberattack. Given the accelerating velocity of these cyberattacks and their overall success, we are seeing a rapidly increasing risk to the security of DNA data. DNA data is incredibly valuable and incredibly personal. Our DNA encoding is the most private data that we will ever possess and the ultimate definition of who we are. More than a fingerprint or a retinal scan, let alone a password or cell phone number, this data defines who you are at the most intimate and complete level. The potential scale of the misuse of this data is without measure. We worry about protecting data like credit cards, social security numbers, passwords, and more, but these don’t compare with the potential future value of your DNA encoding, let alone the harm it could do in the wrong hands. The attackers obtained emails and hashed passwords. Hashed passwords are absolutely not safe if stolen – these hashed passwords are still highly vulnerable to a dictionary attack, where the attacker runs a hash function against the top 100,000 most popular passwords and computes the hash function against all of them. Then all they need do is compare these calculated values to the list stolen from MyHeritage. A smart cyberattacker could be working diligently, even now, to map the hashed values to real passwords and break the accounts. Companies like 23andME offer FDA-approved DNA services that can identify genetic health risks. For example, 23andME tests can provide information about BRCA1, the human tumor suppressor gene. If you have a positive test result which shows a mutation in the breast cancer genes (BRCA1, BRCA2), you might be at higher risk of developing breast or ovarian cancer compared to the population that doesn’t have the mutated gene, though it is not guaranteed that you will develop cancer. There are also tests for celiac disease, Alzheimer’s disease, Parkinson’s disease, thrombophilia, G6PD anemia, and more. Can you imagine the interest in your genetic data to the less scrupulous health insurance companies worldwide? Would they deny you insurance? Consider also that this information, like other stolen data, would likely be up for sale on the Dark Web, where almost anyone could acquire it. The unscrupulous insurance company may be the least of your worries. Once stolen, who else could acquire it and what would they do with it? In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) normally protect your personal health information (PII) data. Unfortunately, the HIPAA regulation has a loophole in it with respect to the protection of DNA data. Patient data can be shared if, and only if, it has been anonymized. This means that identifying characteristics have been scrubbed from the data. This 1996 regulation did not anticipate the advent of genetic testing and was not written to protect against the release of genetic data specifically. Many of the genetic testing companies have already sold this data, claiming that it has been sufficiently anonymized. The devil is in the details around anonymization and exactly how it was implemented. The biggest fallacy in all of this is the belief that anonymized DNA data is adequately protected. Several scientists have been able to deduce the identity of people behind anonymous samples of DNA found in public research and university databases. There needs to be additional legislation specifically pertaining to protecting human DNA data and appropriate uses. The 1996 HIPAA regulation likely needs a specific amendment to address and protect this incredibly valuable data, recognizing that this data should not be released, under any circumstances or conditions. Further, as the MyHeritage attack has shown us, we need to aggressively protect this information in any form using hardened cyber defense technology like Zero Trust end-to-end encryption. Legislation, regulation, and the most careful cyber hygiene need to be applied in liberal doses and on the fastest timeline possible. Protecting customer data is more important than ever. New best practices such as the use of Zero Trust end-to-end encryption, cloud access security brokers (CASB+), and 2-factor authentication are required for data and threat protection as well as the barrage of new compliance regulations. To find out more about our CASB+ platform please check out https://www.ciphercloud.com/casb. You can learn more about our end-to-end Zero Trust encryption via https://www.ciphercloud.com/active-encryption. Or sign up for a CASB+ trial today!