No DNA data lost – but a future hack could have severe repercussions, security researchers warn
No DNA data has been lost as a result of a hack at genealogy and DNA testing website MyHeritage that resulted in the leak of 92,283,889 email addresses and hashed user passwords the company has claimed.
“Sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised,” the Israel-based company said.
The announcement came two days after the company was directed by a security researcher to a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage. The hack appears to have happened on October 26, 2017.
MyHeritage said the password hash key differs for each customer; it is likely using a salt as a result; a unique value added to the password before hashing to make the hash more robust.
Gemalto CTO of Data Protection Jason Hart said: “This reinforces again that being breached is not a question of ‘if’ but ‘when’. Perimeter defences are just what they are, first lines of defence. When those fail, the only way data can be protected is to encrypt it. It is especially important that sensitive personal data is always be encrypted. That way, if the data is stolen it is useless to the thieves.”
He added: “MyHeritage noted that it plans to add additional protective measures in the future. While it appears that MyHeritage hashed its passwords, this is a weak form of protection. Given today’s security climate, all online companies should have multi-factor authentication activated by default for all online accounts as well as using encryption and key management to secure sensitive data.”
“A Serious Wake Up Call”
Rashmi Knowles, EMEA Field CTO at RSA Security, told Computer Business Review: “While only email addresses were compromised, this should serve as a serious wake up call for all handlers of genetic data. If your password is stolen, it can be updated, but this isn’t the case with genetic information – you only have one genetic identity, so if this is stolen there are potentially much more serious consequences.”
He added: “But many people don’t think about this when applying for such services. No matter how secure the organisation, no one is completely risk-free, and if breached, genetic data could be sold on hackers without your consent, or the characteristic data it contains could be used to hijack your online accounts.”
“There’s even a possibility that hackers can amend or even delete genetic data in some cases, which could have serious implications for the victim and the level of healthcare or even health insurance they could access in the future.”
The breach comes weeks after police used a DNA match on a publicly available genealogy website to catch the Golden State killer, a notorious serial killer.