23andMe Data Breach Might Have Compromised CT Users: Officials

CONNECTICUT — Officials are demanding information from 23andMe about potential Connecticut residents affected in a data breach that the company disclosed earlier this month, the Office of the Attorney General of Connecticut said in a news release Monday.

The data breach "reportedly exposed sensitive records for over five million users, including specifically those of Ashkenazi Jewish and Chinese heritage," officials wrote.

In its own press release, which was published Oct. 6, 23andMe said that customer profile information shared through the company’s DNA Relatives feature had been accessed without authorization, exposing names, sex, date of birth, geographical location, and genetic ancestry results.

"More specifically, we understand that the 23andMe breach has resulted in the targeted exfiltration and sale on the black market of at least one million data profiles pertaining to individuals with Ashkenazi Jewish heritage," officials wrote in Monday's news release. "Reports indicate that a subsequent leak has revealed the data of hundreds of thousands of individuals with Chinese ancestry, also for sale on the dark web as a result of this hack."

Officials added that as of Monday, 23andMe had not yet submitted a breach notification, which is required by Connecticut law.

In a letter to the company, the Office of the Attorney General of Connecticut outlined a set of requests for 23andMe. Among these requests are that it reveals the number of Connecticut residents affected by the breach, the categories of personal information or data elements compromised, and whether the impacted residents will receive notice of their personal data being breached.

"The increased frequency of antisemitic and anti-Asian rhetoric and violence in recent years means that this may be a particularly dangerous time for such targeted information to be released to the public," officials noted in the letter.

Attorney General Tong emphasized in the letter that "23andMe is in the business of collecting and analyzing the most sensitive and irreplaceable information about individuals, their genetic code."

"This incident raises questions about the processes used by 23andMe to obtain consent from users, as well as the measures taken by 23andMe to protect the confidentiality of sensitive personal information," Tong argued.

According to its website, 23andMe uses a saliva sample provided by the customer to analyze their DNA.

The company then turns the information into personalized genetic reports on ancestry composition, genetic health risks, and more.