Slashdot Mirror

← Back to Stories (view on slashdot.org)

MyHeritage, a DNA Testing and Ancestry Service, Announces Data Breach of Over 92 Million Account Details (vice.com)

Posted by msmash on from the security-woes dept.

Joseph Cox, reporting for Motherboard: Unfortunately for customers of MyHeritage, a genealogy and DNA testing service, a researcher uncovered 92 million account details related to the company sitting on a server, according to an announcement from MyHeritage. The data relates to users who signed up to MyHeritage up to and including October 26, 2017 -- the date of the breach -- the announcement adds. Users of the Israeli-based company can create family trees and search through historical records to try and uncover their ancestry. In January 2017, Israeli media reported the company has some 35 million family trees on its website. In all, the breach impacted 92,283,889 users, according to MyHeritage's disclosure.

11 of 117 comments (clear)

  1. Gives a whole new meaning: Who's your daddy? by UnknownSoldier · · Score: 2

    With the security breach it kind of gives a whole new meaning to:

    Who's your daddy? :-/

    On a related note:

    When are we going to start fining companies that suffer a security breach?
    Until there is a financial penalty companies have very little motivation to take security seriously.

    1. Re:Gives a whole new meaning: Who's your daddy? by TechyImmigrant · · Score: 5, Interesting

      >Who's your daddy?

      In my family's case, it was "Who's your uncle?" and "Who's your cousin?".

      My wife's bible bashing, holier than thou grandfather was dipping his wick in many places it seems. The denial on the part of the bible bashing, holier than thou, next generation was remarkable.

      23andme uncovered these things.
       

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    2. Re:Gives a whole new meaning: Who's your daddy? by Kozar_The_Malignant · · Score: 4, Insightful

      We don't legally punish the person whose house get's broken into by a burglar for not securing their house properly.

      > That's because I'm not generally storing my stuff in my neighbor's house. However if I loan my lawnmower to my neighbor, and it gets stolen because he left his garage door open overnight, he is generally responsible civilly for my loss.

      --
      Some mornings it's hardly worth chewing through the restraints to get out of bed.
    3. Re:Gives a whole new meaning: Who's your daddy? by CaptainDork · · Score: 2

      ... but you can't say you had YOUR data stolen ...

      You should sign up on a site called, "Slashdot ... News For Nerds; Stuff That Matters"

      They have stories that can help you understand.

      Data Breach Victims Can Sue Yahoo in the United States, Federal Judge Rules

      --
      It little behooves the best of us to comment on the rest of us.
    4. Re:Gives a whole new meaning: Who's your daddy? by Kozar_The_Malignant · · Score: 2

      Sorry to be a wet blanket here, but since when do you own anything on someone else's computer?

      I own dollars and Euros that have no physical existence except in my banks' computers. Ditto cryptocurrencies. Many people own copyrighted commercial and private personal information stored on someone leases computers in the cloud. Location does not equate to ownership.

      --
      Some mornings it's hardly worth chewing through the restraints to get out of bed.
  2. your mother's maiden name by goombah99 · · Score: 2

    or your father's middle name are now useless security questions. Along with your SS number, address, home telephone, ....

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:your mother's maiden name by goombah99 · · Score: 2

      take the security question. Hash it with your own secret salt. give that as the answer.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    2. Re:your mother's maiden name by sexconker · · Score: 2

      The problem is many times answers are restricted to drop down responses or are tied to actual data about you (like past addresses, phone numbers, etc.).
      Another issue is that these are the things the customer service reps can see if you ever get locked out and need to call them.
      Good luck reading out a random password over the phone. No, BACKslash. It's going from top left to bottom right. No no, that's the grave / backtick.

  3. This ought to be particularly alarming by Anonymous Coward · · Score: 4, Insightful

    DNA testing results are particularly sensitive information. While these sites use the information to identify ancestry, they can also test for genetic risk factors for developing various illnesses. That information may be very useful to individuals who can make lifestyle and medical decisions to mitigate those risks. Unfortunately, that information can also be used by insurance companies to deny coverage and by potential employers to not hire people who are at higher risks to develop some medical conditions.

    There needs to be a certification process for handing sensitive data, meaning that businesses must be certified before they're legally allowed to handle information like DNA test results. That certification process should require third party audits to ensure that various standards are met. This would be followed up with random unannounced periodic checks to ensure that the business is still in compliance with those standards. Any business that is handling such data without certification should be subject to penalties at least as severe as if all the sensitive data was compromised in a breach. There needs to be standards for handling sensitive data and a certification process to ensure that the data is handled properly.

    1. Re: This ought to be particularly alarming by Cinnamon+Beige · · Score: 2

      No, banning hacking is already covered by laws such as the CFAA, and you know that. Besides, this breach wasn't the result of a hack. The data was left unsecured on a server. Your comment isn't helpful. As for bans on hacking a much better idea to improve stricter standards on the handling of information like DNA test results. A fairly straightforward solution in the United States would be to make businesses like MyHeritage subject to the data protections included in HIPAA. If you're handing DNA information and doing business in the United States, you would be subject to that law.

      I'd actually be very, very surprised if HIPAA doesn't already cover DNA information, especially given that there are laws specifically in place covering genetic privacy to pretty much because it was decided that genetic discrimination is a problem that is most easily solved before it's particularly feasible.

  4. Er, no by bagofbeans · · Score: 3, Informative

    Questions may be restricted, but the responses can be anything you choose. Your first car? Fattybut. Name of second school? 902010 etc