DNA testing startup exposes customer info in data breach (Updated)

DNA testing startup exposes customer info in data breach (Updated)
Credit: Veritas Genetics

Veritas Genetics, a DNA testing startup, has become the latest company to fall victim to a security incident that exposed customer information.

According to Bloomberg, the company said it recently became aware of an instance of unauthorized access involving a consumer-facing portal. While it did not contain genetic data or health records, the details are very scarce at the moment.

It hasn’t disclosed the exact nature of the breach, the kind of information that was accessed, or when it became aware of the incident, and for how long the portal lay exposed.

Veritas Genetics stated only “a handful of customers” were potentially affected by the breach and that it launched a forensic investigation upon learning of the unauthorized access to its customer-facing system.

“Our forensic investigation is ongoing, and we will notify any potentially impacted individual as appropriate under applicable law,” the company told Bloomberg.

So far, Veritas Genetics has not issued a public statement on the breach. We’ve reached out to the company for more specifics, and we’ll update the story if we hear back. (Statement from Veritas below.)

Cheaper genome sequencing

Co-founded in 2014 by George Church — who worked on the Human Genome Project that successfully mapped the DNA sequence of the entire human genome in 2003 — the Massachusetts-based firm offers a $599 DNA test kit called myGenome.

The product helps consumers determine the genetic drivers behind cancer, cardiovascular disease, and immune and neurological disorders based on results gleaned from whole-genome sequencing.

It also provides customers with an assessment of the health risks they may face later in life and if they’re likely to have an allergic reaction to more than 200 drugs that treat conditions such as depression, asthma, and diabetes.

Veritas Genetics competes with rivals such as 23andMe and Ancestry.com in the market as it aims to make genome sequencing tests cheaper and more affordable. Back in July, it announced that since 2016 it had sold about 5,000 genomes directly to individual consumers.

Privacy concerns galore

The development comes as a “game changer” warrant was obtained by the Florida police department to penetrate GEDmatch — an open data personal genomics service — and search its entire database of nearly one million users, a move that could set a precedent and have significant implications for genetic privacy.

What’s more, researchers last month demonstrated multiple vulnerabilities that could allow attackers to upload fraudulent DNA profiles by impersonating someone’s relative to create family matches in GEDmatch.

The direct to consumer services were also found susceptible to what they call “genetic hacking,” where an attacker could upload selected DNA sequences “to pull out the genomes of most people in a [public] database or to identify people with genetic variants associated with specific traits such as Alzheimer’s disease.”

With personal genomics firms handling sensitive DNA and other biological information, the incident is another reminder that healthcare companies need to be extremely careful about safeguarding personal data.

At the same time, using these services usually involves giving up deeply personal information, necessitating that users be aware of exactly how much information they might be relinquishing in exchange for researching family history or learning about their genetic makeup.

Update at 8:00 PM IST: Veritas Genetics provided us with the following statement:

Veritas Genetics was recently made aware of unauthorized access by a perpetrator to a customer facing portal. This portal does not contain genomic data in any form, genomic sequences in any form, Veritas test results in any form, nor health records. Once we learned of this access, we immediately remediated the issue and launched an investigation, and engaged external cybersecurity experts to assist us in our review.

The security and privacy of customer information is a top priority, and we have security processes and procedures in place as part of this commitment, including segregating and securing genomic data on separate systems.

Based on our investigation to date, only a handful of customers were potentially impacted, no genome sequences or genomic data or Veritas test results in any format were accessed and no customer information has been used inappropriately. It is important to note that Veritas Genetics does not store credit card information in its systems.

Our forensic investigation is ongoing, and we will notify any potentially impacted individual as appropriate under applicable law. We are also considering legal action against the perpetrator and will explore all available legal recourse based on the findings of our investigation.

Read next: CHEAP: Forget the Samsung T5, get this beefy 1TB Intel SSD for just $92