A hack that targeted DNA testing kit company 23andMe back in October is estimated to have exposed significantly more profiles than previously reported. The personal information of about 6.9 million customers is now the current projection for the number of profiles exposed in the breach, according to a report by the BBC. The incident was previously thought to have only exposed the personal information of 14,000 individuals, just a fraction of its 14 million customer base.
The data breach was allegedly executed using compromised customer usernames and passwords, which exposed sensitive personal information that included things relevant to ancestry trees, birthdays and general geographic locations. In some cases, the company said that the hack could have exposed the pictures and display names of affiliated family members also using the company’s services through the accounts that were primarily breached. 23andMe insists that no actual genetic material or DNA records were exposed.
Legally, 23AndMe is obligated to inform all impacted customers and in October, 23andMe asked all of its users to reset their passwords. Last month, the company said it has required all new and existing users to login into the 23andMe website using two-step verification and that will remain the standard going forward. The emphasis on account security comes after the completion of an internal investigation, which 23andMe says was conducted with the help of third-party forensics experts but it has yet to release a report detailing their findings. The company did, however, say it expects to incur at least $1 to $2 million in expenses related to the hack.
23andMe does more than give customers reports about their family trees: It offers genetic health risk tests for chronic diseases and cancers, and it also has a research arm where customers can opt into clinical research programs. Questions about how 23andMe handles data privacy and protects its digital assets could impact the company’s bottom line and if customers shy away from using the services that involve more sensitive medical information.