Genetic testing companies like 23andMe and Ancestry offer a pretty enticing prospect. Just mail off a little bit of your spit in a tube and the company's lab can reveal the details of your ethnic background and trace the many branches of your family tree. The popularity of such tests means these genomics and biotechnology companies hold a whole lot of very personal data about their customers, and hackers tend to see their databases as targets ripe for the picking. Earlier this month, the private data of millions of 23andMe customers was stolen and put up for sale on hacker forums. Most troublingly, the data gathered targeted specific ethnic groups, including Ashkenazi Jews and people of Chinese descent.
This week on Gadget Lab, we talk with WIRED senior writer Lily Hay Newman about the 23andMe hack, what it means for the people who were directly affected, and whether it's a good idea to give companies access to your genetic material and history in the first place.
Read more from Lily about the 23andMe hack and some updates on how it has gotten even worse. Follow all of WIRED’s cybersecurity coverage.
Lily recommends Taylors of Harrogate Yorkshire Tea, specifically the flavor Malty Biscuit Brew. Lauren recommends Pasta e Ceci. Mike recommends the episode of the New York Times podcast Popcast titled, “Do We Need Album Reviews Anymore?”
Lily Hay Newman can be found on social media @lilyhnewman. Lauren Goode is @LaurenGoode. Michael Calore is @snackfight. Bling the main hotline at @GadgetLab. The show is produced by Boone Ashworth (@booneashworth). Our theme music is by Solar Keys.
You can always listen to this week's podcast through the audio player on this page, but if you want to subscribe for free to get every episode, here's how:
If you're on an iPhone or iPad, open the app called Podcasts, or just tap this link. You can also download an app like Overcast or Pocket Casts, and search for Gadget Lab. If you use Android, you can find us in the Google Podcasts app just by tapping here. We’re on Spotify too. And in case you really need it, here's the RSS feed.
Michael Calore: Lauren?
Lauren Goode: Mike.
Michael Calore: Have you ever had your genome sequenced?
Lauren Goode: You mean like one of those kits where you spit in a tube and mail it off and find out that you hate cilantro and your father is not your father?
Michael Calore: Yeah, that's pretty much what I mean.
Lauren Goode: I like cilantro though. I have done one of those kits as a matter of fact.
Michael Calore: What did you learn about yourself?
Lauren Goode: I learned that I am 33 percent cat.
Michael Calore: That tracks. Have you ever wondered about your genetic data leaking?
Lauren Goode: I think about it all the time, and also I think about where it goes if 23andMe or companies like it get acquired. Because someone has to absorb that data and it's an entity that I wasn't planning on having my data.
Michael Calore: That's right. And I think you should be paranoid about it.
Lauren Goode: Really?
Michael Calore: Yes, we're going to talk all about it today.
Lauren Goode: Oh boy. I can't wait.
Michael Calore: Let's do it.
[Gadget Lab intro theme music plays]
Michael Calore: Hi, everyone. Welcome to Gadget Lab. I am Michael Calore. I'm a senior editor at WIRED.
Lauren Goode: And I am Lauren Goode. I'm a senior writer at WIRED.
Michael Calore: We're also joined this week by WIRED senior writer Lily Hay Newman. Lily, welcome back to the show.
Lily Hay Newman: Thanks for having me.
Michael Calore: Of course. It's always a banger when you're on the show. People see your name in the show description and they put the kids to bed and they lock the door because they know that we're going to talk about cybersecurity and hacks and cybercrime and all that lovely stuff.
Lily Hay Newman: Yeah, maybe I'm actually a deterrent to listeners.
Michael Calore: So if you've ever been curious about your ancestors or what part of the world your family really comes from, you may have been tempted to send a bit of yourself to companies like 23andMe or Ancestry. You just spit into a little tube and mail it to the company. And within weeks, you get back a detailed map of your lineage. And if you want, the same map of other people that you might be related to. It's pretty cool at least until that data falls into the wrong hands. That is exactly what happened with 23andMe. At the beginning of October, the company announced that it was hacked and as a result, the names, birth years and general descriptions of genetic data for millions of people were posted on hacker forums. The hack appeared to target specific ethnic groups and the methods used to obtain the data appeared to be relatively low tech. Late last week, the breach became even worse with another hacker posting millions of more records on hacker forums. Lily, you cover all sorts of hacks and data breaches on our security desk here at WIRED. And you've written about this 23andMe breach. What kind of information was revealed?
Lily Hay Newman: So the data that was revealed is not raw genetic data, but it is information that could give you a sense of who someone is and potentially identify them. So things like a display name, sex, birth year. And details about broad genetic ancestry. So something like broadly Arabian or broadly European. And then potentially some more specific geographic ancestry information as well. So it's not the crown jewels, but it starts to really get into who someone is and some information about their background.
Lauren Goode: So it sounds like it's specific to ethnic background and not necessarily biomarkers for diseases or other medical conditions that might show up from some of these tests?
Lily Hay Newman: Yeah. The way the data was collected on this broad scale was by scraping or collecting information that users had opted to share in this 23andMe feature called DNA Relatives. So the feature is all about helping you connect with other relatives and find people and is sort of like a social-ified service. So the actors who scraped this data seemed to have searched under certain criteria and that's how they had broad buckets of information on Ashkenazi Jews, is one category they were searching for. And then scraping people of Chinese descent. There were about 300,000 of those. And then as we mentioned, the actor has continued to post more data both in those categories and in a broader range. So yeah, that's why it's clustered in those areas. But all of this information is geared towards what customers might've opted into sharing with other 23andMe users. So it's not public to the public internet, but public within the service.
Lauren Goode: Mm-hmm. And just to be clear for folks, when Lily refers to actor, that's a term used in the cybersecurity world to describe someone who's taking an action. For example, a bad actor is someone with malicious intent. We're not referring in this instance to Leonardo DiCaprio. Although, it would be quite a story if he was the one who hacked 23andMe.
Lily Hay Newman: That would be a big scoop.
Michael Calore: Now, obviously we can't necessarily ascribe motive, but we can guess why this actor would target specific ethnic groups and make that known in their announcement when they post the data for sale.
Lily Hay Newman: Right. I think there's a lot of reasons that it could have been done this way. It could have to do with wanting to specifically expose people in those groups, like there could have been some sort of geopolitical or other ideological motivation. But also a lot of researchers I talked to speculated that things like this are often just for notoriety to try to ... Because this data is being sold on hacker forums. And so a lot of times, actors, there's that word, actors, will do things like this simply to make their product more appealing or gain notoriety or get exposure and bring attention to hawk their wares essentially. So it's possible that it was for some sort of insidious, racially motivated reason. But that's not necessarily the case.
Michael Calore: How did the hacker actually get into people's accounts? How much of this points to perhaps a lack of security on the part of 23andMe?
Lily Hay Newman: So the company would say that that's not the case. They want to make the distinction that the way they say this happened was that a small number of accounts were compromised using a technique called credential stuffing, which is really just going through all these combinations of usernames and passwords that have been previously leaked or stolen, and other breaches from around the internet not necessarily related to the victim or the target in question, and then actors trying those stolen credentials against all different logins. And the idea there is if you've reused a username and password on multiple accounts, the same username and password that was stolen in one place will let the attackers into your account in another place. So 23andMe says that it's not a breach of their systems and isn't exactly hacking. It's like stealing the key and then just walking in the front door. You don't have to break down the door if you have the key. The crucial thing there though is to get from those few accounts to all the millions of people whose data was impacted by this, that's where I use the term scraping. The concept is that then, the attackers use their access into that small group of accounts to simply look at or pull up records that were shared with the accounts from the DNA relative's service and hoard massive amount of data from there. But so, how much is this a security issue and what does this say about 23andMe's defenses? It's an interesting area because scraping as a technique, companies can say and do say, "That's not a breach." Users have to opt into sharing that information. They could choose not to share it. And companies will say things like, "We take measures to reduce scraping." But it's inherent in publishing data to a broad set of users or publicly and we can't stop it completely. But when you're seeing scraping like this with a genetic service, it underscores what researchers and privacy advocates have been saying for a long time, which is that scraping isn't just getting a copy of the phone book or something. These digital services make it really easy for actors to hoard and gather all this data and we need to think about that and take mitigating that risk seriously, rather than just saying, "Well, it wasn't a breach of our systems, so we weren't hacked." This isn't our problem.
Michael Calore: So the data was posted for sale at a site called BreachForums. What can you tell us about this corner of the internet?
Lily Hay Newman: BreachForums is a popular and well-known kind of clearinghouse for people to post all sorts of data and tools, other information, and it fits into a broader ecosystem of hacker forums for advertising and posting data. Sometimes, these forums can be used in positive ways to just share information about potential concerns. But they can also be used at times to distribute stolen data or at least advertise its existence and then actually distribute it elsewhere.
Michael Calore: Right.
Lauren Goode: Mike's been hanging out there a lot. Yeah, he doesn't know. I can see his computer here at the office and I'm like, "What is Mike doing at breachforums.com?"
Michael Calore: Yeah, I lost the keys to my car and I'm trying to figure out how to get into it. It's totally white hat, totally up and up. I swear.
Lauren Goode: You don't have a car.
Lily Hay Newman: When Calore and I see each other, he says, "See you on BreachForums." And I say, "Not if I see you first."
Michael Calore: All right, well on that note, let's take a break and we'll come right back.
[Break]
Michael Calore: All right, welcome back. For years, companies like 23andMe and Ancestry have been collecting genetic information from millions of people. They've used it to generate massive pools of data about some of the most important things you can know about a person. Where you come from, who you're related to, what genetic conditions might run in your family. It's intimate, personal information gleaned from just a little bit of spit. Lily, I'm sorry for asking such a leading question, but should people be willingly sending their genes to these companies? Are all of our family trees already up for grabs now somewhere?
Lily Hay Newman: So it's a really good question. It's the type of thing that you want to think about in terms of genetic testing, but that also applies conceptually to a lot of things. Ultimately, I think there isn't a clear-cut answer because it's more of a cost-benefit assessment of what you're getting out of it. First of all, in other contexts, people do genetic testing for medical reasons, to find out things about their health status and that might be urgent or very important. But even for the consumer facing more home tests, which also potentially have a medical purpose but aren't necessarily being prescribed or recommended by a doctor or something like 23andMe, there still could be a massive personal and emotional and psychological value to someone knowing more about the ancestry component or the finding relatives, finding biological connections. So I don't want to minimize or downplay and say, "Well, these are just curiosities and it's become way too mainstream and people shouldn't be using it", because I don't think that's the case. But if there isn't a specific and compelling reason to do it or if there aren't these pressing personal questions that people are wanting to get some insight on, I do think it's really worth taking a pause, especially for services that have this social component. I think that's really the tie into this breach. And like I said, this can apply to a lot of things. If there's a social component to a service, where to really be able to use it and get the full feature set out of it, you're going to need to opt into sharing data, not just with the company, but with other users and a broad network of users, you start to encounter these issues. The same ones that the traditional social networks have grappled with about social graph and what else can be gleaned about you and a cohort of people that you then can be grouped into from that data that you're sharing semi publicly with other users. So I think that's what this incident with 23andMe really underscores.
Lauren Goode: I was wondering about the fine print in some of these apps like Ancestry or 23andMe that people should be aware of in the event of some kind of partnership or acquisition. Because years ago, I was writing a lot about health and fitness apps that were very consumer facing. And one by one, a bunch of them got acquired. They were not sustainable businesses on their own. It was hard to convince people to pay for a subscription service to use, just your favorite running app or something like that. And I had signed up for and used all of them. And all of a sudden I thought, "OK, great. So I guess Under Armour owns all of my data now. Google owns all of this fitness data now." What should people know about what happens if 23andMe or other entities like it end up getting acquired someday? Where does that data go?
Lily Hay Newman: I think the crucial concept in general, which ties into what we've all just been talking about, is that once you release data into the wild, it can't be put back in the box. That's just the core of what the stakes are for something like genetic data, but again, could apply to other things too. And it's hard, but I try to be thoughtful about it in every context I can think of. Like, well, what if I make a shared calendar with someone to coordinate about whatever workout schedules? And then that means they have that data in their calendar app and I have it in my app. So I think thinking through just that on off switch or that binary of once it's out there, it could be stolen, it could be sold to another company. You can just keep riding that wave to places you never even would've thought of on the day that you spit in the tube.
Michael Calore: Yeah. When you do spit in the tube, you do have some choices about how your data is used by the company. You can consent to allowing your data to be used in research, particularly for pharmaceutical companies. There are partnerships between the companies that collect and process your genetic data for you and the companies that develop drugs that work on people with specific conditions. So when a user submits to that and they say, "Yes, you can use my data", before your data is passed along to the partner company, it's anonymized and aggregated. Can you explain briefly what that means? What does anonymized data look like and is it truly anonymous?
Lily Hay Newman: This is a big topic. The basic concept is stripping the personally identifiable components away so that what's left is data that is about you, but could be about anyone and can't be specifically linked to you. So without a bunch of … your name, your specific characteristics, your hair color, let's say. Like OPSEC breach here, I have brown hair. The fact that that data point in the dataset is my brown hair versus someone else's brown hair is stripped away or becomes anonymized when it's not no longer connected to my name, my birthday, other things about me. So that's the concept, is to strip that away. There have been a lot of studies and a lot of research on the specific techniques that are used by different companies that even have been invented and exist abstractly to anonymized data sets. And often, the conclusion is that there is some reverse engineering that's possible and that the information has not been totally anonymized. So that's one factor to consider. But another thing to consider is, again, this 23andMe data dump did not include raw genetic data. But in the case of raw genetic data, you really have to pull the information very far apart and isolate specific things in order to anonymize it. Because if you just have a leak, again hypothetically, not in this situation of full genomes or even segments of someone's genome, that is the ultimate identifying information. So even if my name isn't on it anymore, if there's another dataset that does have my genetic information, that does have my name, that anonymized dataset can be linked back to me.
Michael Calore: Right. All right. Well, Lily, thanks for taking us through all of this stuff. I know it's hairy and you're still reporting on it, right?
Lily Hay Newman: Yes, more is still coming to light about this incident. And as you all brought up, the broader questions around genetic privacy and the privacy implications of scraping are just huge topics that we're continuing to delve into at WIRED.
Michael Calore: And we look forward to reading more of those stories. Everybody can find them at WIRED.com. Let's take a break and we'll come right back with our recommendations.
[Break]
Michael Calore: OK, Lily, you've done this a few times. You know how it works and you're prepared, I'm sure. What is your recommendation for our listeners?
Lily Hay Newman: I like that jab as if perhaps I am not prepared. I am sure you're prepared.
Michael Calore: I would expect nothing less.
Lily Hay Newman: My recommendation this week, there's a lot of really heavy stuff going on in the world, and so I wasn't sure, should I recommend something very intense or like a humanitarian thing, or should I recommend something really light? But I don't want to be too jokey. So I am going to recommend something light, but something that has been just grounding for me and helpful to me lately, which is a type of tea. It is not a magic tea. It is a normal tea. And—
Lauren Goode: What's a magic tea?
Michael Calore: I think she means like psychotropic.
Lauren Goode: Like a hallucinogenic?
Michael Calore: Yeah.
Lily Hay Newman: Yeah.
Lauren Goode: OK. You can ... Please continue.
Lily Hay Newman: Have me back on the show. We'll see what happens next week.
Lauren Goode: Done.
Lily Hay Newman: But this week, I'm just recommending regular tea. This was tea that was gifted to me by a WIRED colleague, Matt Burgess on the Security desk, and imported for me from the United Kingdom where he lives. It's Taylors of Harrogate Yorkshire Tea, and specifically it's a novelty flavor called Malty Biscuit Brew. So I call it biscuit tea.
Lauren Goode: And does it have caffeine in it?
Lily Hay Newman: Yeah, it's a black tea, but normal. It's not like a huge amount of caffeine, just the normal black tea amount, I think. But then it also has this sort of toasted malt grain in it that makes it taste like eating tea and biscuits all in the tea and it's really delicious. And normally, for me, I was concerned that this was my one box ever until Matt comes back to the US and that I would never be able to get it again. But then I saw that it actually is sold online from some importers and is not that unreasonable on Amazon. So depending on where people want to buy their tea, if you're in the US, there are options. And if you're in the UK, I think you can buy it at grocery stores. Yorkshire Tea, Malty Biscuit Brew. It's just delicious and very comforting.
Lauren Goode: It sounds great.
Michael Calore: Do you have to put milk in it?
Lauren Goode: I was just going to ask that because our colleague Jeremy White came on the show a few months ago now to talk about Tesla. And his recommendation at the end was related to tea and he had very specific directions around this. He's also British, by the way. Lily, do you put milk in your tea?
Lily Hay Newman: Well now, I've gotten myself into trouble because I think the answer is yes, that that is a requirement. And I think it ... So Matt and I brewed some of this tea when we were at the WIRED New York office a few months ago and he brought the tea. And we put milk in it there because I think that's just what is supposed to happen, and he spearheaded that initiative. And it does make it more biscuity in a way. I don't know exactly how to describe it. But I personally typically don't put milk in my tea and I just drink it black or whatever you would call it. And the tea is great that way too. Though I'm sure I'm revealing my ignorance somehow by saying that.
Michael Calore: I think you should drink it however you prefer it, because then you're drinking tea instead of not drinking tea.
Lauren Goode: I think Jeremy's remarks were not necessarily about milk or no. It was about the order with which you put the milk in if I remember correctly?
Michael Calore: He has strong feelings about milk.
Lauren Goode: Strong feelings.
Michael Calore: Which I don't agree with either. Anyway, Lily, thank you for that—
Lauren Goode: Great—
Michael Calore: Refreshing—
Lauren Goode: Recommendation.
Michael Calore: Biscuity recommendation. Lauren, what is your recommendation?
Lauren Goode: First, I want to give a shout-out to the folks who sent me workout playlists. On last week's episode of Gadget Lab, I said that I was really tired of my exercise playlist on Spotify. I put a call out and I got some really wonderful recommendations. So I want to say thanks in particular to Pat, Leo and Shannon. Also to you Mike, because you were I think the first person who sent me a workout playlist. And it was a death metal playlist titled Run or Die. I'm not sure if actually I have the rights to play this on the show. Do we have Boone? I'm looking at Boone, our producer. Is it possible for me to play this and get in trouble, not get in?
Michael Calore: I've been told by our lawyers that fair use is not a determination we make in the room.
Lauren Goode: This is breaking news. It's like ...
Michael Calore: Yeah, it makes you want to run. It makes you want to work out.
Lauren Goode: So I must admit I didn't. I didn't really listen to this one yet. I went through the list of artists and I thought, "Nope, don't know that. Nope, don't know that one. Don't know. Nope, don't know. Nope, nope. Oh, Blood Incantation." I know them because Mike just went to their show. That's literally the only reason.
Michael Calore: Such a great band.
Lauren Goode: Right. Well, thank you very much. My actual recommendation this week, it is ... We should have a little intro music for this. Oh, OK. It is time for Pasta e Ceci. Longtime listeners of the show will know that in the past, both Mike and I think have recommended this New York Times cooking recipe. It is called Pasta e Ceci. You can look it up. Pasta e Ceci, Italian pasta and chickpea stew. I believe my Italian people call it pasta fazool. This is what it is. It's delicious. It is just the perfect, if you like Italian food and flavorings, perfect late fall, early winter stew. It's really more like a stew. It's not just a soup. It's not like minestrone where there's a lot of water and water-based vegetables. It's thick, it's hearty. You can put different things. You can add some bay leaves to it. You can put some rosemary in it for flavor, which the recipe calls for. Red pepper, you can adjust the red pepper. I like to put a little bit of cheese on top of it. Occasionally in avocado, but that really makes it pretty hearty. And Mike, you've mentioned before, it's great for freezing.
Michael Calore: Yes, you can cook it and freeze it and then eat it like every third day or every Sunday.
Lauren Goode: And depending on how much red pepper you put in this thing, by freezing it and just letting it all soak in, it really packs a punch. So just be careful with the red pepper, I would say.
Michael Calore: Nice.
Lauren Goode: That is my recommendation this week. Try making that stew.
Michael Calore: Pasta fazool.
Lauren Goode: Pasta fazool. And then another thing, I don't think there's an official recipe for it. But one time you and Boone were over and you made that incredible pasta with capers and what else was in it?
Michael Calore: Tomatoes, basil, garlic.
Lauren Goode: Well, yeah. Yes, tomato. It was tomato sauce base, but it was delicious. Is that like an official recipe?
Michael Calore: I think it's just the kind of thing that you just learn as you grow up in an Italian-American household.
Lauren Goode: Yeah, just throw it together. Some good peasant pasta.
Michael Calore: Yeah.
Lauren Goode: All right. Well, I guess that's a side note there.
Michael Calore: Sure.
Lily Hay Newman: Is this a recommendation or just making us jealous that you all hang out and eat great food?
Lauren Goode: Both.
Michael Calore: Both. And listen to death metal.
Lauren Goode: Well, some of us. Mike, what's your recommendation this week?
Michael Calore: I am going to recommend an episode of the New York Times Popcast. It's sort of a New York Times playlist-y theme this week. Maybe you could listen to this while you're drinking your tea. It is an episode of the Popcast, which is hosted by Jon Caramanica, the chief pop music critic at The New York Times. This episode came out a couple of weeks ago on October 12. It's called, "Do We Need Album Reviews Anymore?" And it's a 45-minute, hourlong conversation between Caramanica and Jamie Brooks, who is a recording artist and a writer and an all around swell person. They talk about the future of music journalism at first. But they also fascinatingly talk about how the technologies of the day have changed the artistic decisions that people make when they create music. Like for example, during the ringtone era, late 2005 to about 2010 when you could load ringtones onto your smartphone, that changed the economics of the music industry and it changed the way that people put out songs in the streaming era. Playlists, singles, the importance of those things, really short songs. Short albums so you can rack up plays. All of those technological innovations in the way that people consume music has changed how music sounds. They also just talk about the economics of making music and how that's changed and the role that the critic plays in that world. There's conversations online whenever an artist releases an album. And that just doesn't happen as often anymore. It's a really fascinating conversation, especially if you grew up reading record reviews or if you grew up anticipating album releases. You may not think about it that much, but the way that those things have changed over the years is really radical. It's very different now than it was even five years ago just because of streaming. So it's a great conversation. Overall, a great podcast. I recommend a subscribe and follow on the Popcast. But that episode in particular, if you spend any time making music or thinking about music or just if you love to hear people talk about it.
Lauren Goode: Do you think we need album reviews?
Michael Calore: I do.
Lauren Goode: Why is that?
Michael Calore: They're crucial for discovery. They're also crucial for the albums that don't get a lot of attention. There's a lot of people in the sort of underground world, maybe in what we used to call alternative rock world, who still consider albums like a important artistic statement. They are a very particular kind of artistic statement that I hope does not go away. And the best way to find them is to have the taste makers in your life, the people that you trust, tell you about them. So I love albums and I love reading about how an album works. Album reviews are a big part of that. Also, shout out to our sister publication—
Lauren Goode: Our friends at Pitchfork.
Michael Calore: Over at Pitchfork, who have built an empire on album reviews. But I'm sure they feel the same way. Not just being a homer. This really does resonate with me.
Lauren Goode: That's a great recommendation.
Michael Calore: Thanks. I hope everybody checks it out. All right. Well, Lily, thanks for joining us this week.
Lily Hay Newman: It is my pleasure as always to be here.
Michael Calore: All right.
Lauren Goode: So great to have you, Lily.
Michael Calore: It really is. And thank you all for listening. If you have feedback, you can find all of us on the social medias. Just check the show notes. Our producer is Boone Ashworth and we will be back with a new show next week. And until then, goodbye.
[Gadget Lab outro theme music plays]
