State Watch

State AG presses 23andMe for action after hack that targeted Ashkenazi Jewish, Chinese ancestry

This illustration picture shows a saliva collection kit for DNA testing displayed in Washington DC on December 19, 2018. (Photo by ERIC BARADAT/AFP via Getty Images)

Connecticut’s attorney general is demanding answers from genetic testing company 23andMe after a hack exposed the data of people with Ashkenazi Jewish and Chinese ancestry.

State Attorney General William Tong (D) sent a letter to 23andMe on Monday asking for information on a data breach that he says targeted the data of individuals with Ashkenazi Jewish and Chinese heritage.

“The increased frequency of antisemitic and anti-Asian rhetoric and violence in recent years means that this may be a particularly dangerous time for such targeted information to be released to the public,” Tong wrote in the letter.

He said that the hack, which the company revealed earlier this month, resulted in the sale of at least one million data profiles of people with Ashkenazi Jewish heritage on the black market. He also said that another leak unveiled data pertaining to hundreds of thousands of people with Chinese ancestry.

“This resulted in the compilation and exposure of individuals’ names, sex, date of birth, geographical location, and genetic ancestry results. Troublingly, the threat actor involved has posted sample data indicating that the 23andMe attack was targeted at account holders with specific genetic heritage,” Tong wrote.

He also accused the company of not submitting a breach notification about the leak to the attorney general’s office or Connecticut residents. In his letter, he asked 23andMe to provide information on what specific data was exposed, what safeguards were in place and what further action was taken.

He asked for answers to his questions no later than Nov. 13.

A company spokesperson said that its investigation currently suggests that “threat actors were able to access certain accounts in instances where users recycled login credentials.” The spokesperson explained that those affected were those who used the same usernames and passwords as they did with other websites that were previously hacked.

“We do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks,” the spokesperson said.

Updated at 4:46 pm.