Antihack Blog

If you thought Cathay Pacific data leak was bad, just wait until hackers steal your DNA

24 Apr 2019

The rise of readily available, over-the-internet DNA tests raises the spectre of data hackers stealing the innermost secrets of your very being.
And with Asian demand building the industry into a US$50 billion behemoth, that spectre is growing ever larger.

When Cathay Pacific announced in October that its internal systems had been hacked, close to 10 million passengers of Hong Kong’s flagship air carrier faced the possibility that their personal data, including everything from passport details to credit card numbers, had been compromised. Shivers were felt throughout the region.
Still, as alarming and personally intrusive as this must have been, the truth about modern hacking is that things could have been far, far worse. With the dawn of DNA tests, readily available over the internet, the potential now exists for hackers to access the innermost secrets of your very being, past and future.

The threat was highlighted in June by a data breach at a large Israeli genealogical testing company, MyHeritage, which may have exposed the personal files of 92 million users. The company, which stores intimate information about its users’ family trees and DNA, insists the breach consisted only of email addresses and hashed passwords, but the attack nevertheless opened the eyes of the world to an emerging threat the industry is only just beginning to get to grips with.
In the burgeoning Asian DNA testing field, the two largest players – both Hong Kong based companies – are acutely aware of the security challenges. “We take the protection of our customers’ data and privacy very seriously and that includes administering a number of steps and protocols to ensure that it remains safe and secure,” says Peter Wong, the Chief Technical Officer of Prenetics Limited, a genetic testing company with an office and laboratory in Quarry Bay.
Prenetics is partly owned by Alibaba, the owner of the South China Morning Post, and unlike MyHeritage its testing is focused on health-related issues, an area of DNA testing proving increasingly popular in Asia.

Kevin MacDonald, founder and managing director at Advanced Genomic Solutions (AGS), which runs a state of the art testing lab in Central as well as a subsidiary in the United States, says that driving Asian demand is a trend towards health-based DNA testing.
In the melting pots of North America and Europe, consumers often favour Direct-to-Consumer Genetic Testing (DTCGT) – tests that are widely available over the internet and are often marketed as offering clues to a person’s ancestry. But in Asia, where there is less ancestral ambiguity, MacDonald says consumers are more likely to turn to DNA tests that can be used to predict predispositions to certain forms of cardiovascular disease and diabetes.
“We empower our clients with their genetic data to make healthier lifestyle choices, that is our core business.”

But as demand for the services grows – industry experts predict DNA testing will be a US$50 billion industry by 2026, much of it driven by Asian demand – so too, does the risk that sooner or later, there will be a high profile hacking attack.
“The projections here are staggering,” MacDonald says. “In five years-time, we will likely see the number of DNA tests grow by a factor of 10 and much of that will be on the back of B2B [Business to Business] testing, where Asia is miles ahead of the US.”

Both Prenetics and AGS work with companies including insurance groups and fitness chains that will be offering employees and clients testing to help identify any potential health dangers.
To these companies, DNA tests seem like a sound business policy to encourage healthy – and therefore more productive – employees.
However, critics say that as more companies embrace DNA tests, the likelihood of controlling the flow of personal data gets evermore complicated.
In the end, it requires a leap of faith and a great deal of trust, as even MacDonald acknowledges. “The future and success of our entire industry depends on maintaining the trust of consumers, it really is that simple,” he says.

Some of that trust has already been eroded as more companies admit they have shared data with third parties. Last month, the president of FamilyTreeDNA, one of the largest at-home genetic testing companies in the US, was forced to publicly apologise when it emerged it was covertly sharing data with groups like the FBI to help solve violent crimes. One US website has posted methods for deleting your data from the genetic testing site 23andMe, “if that freaks you out”.
Maybe it should, considering that last year pharmaceutical giant GlaxoSmithKline acquired a US$300 million stake in 23andMe with the express intent of using client’s DNA data for research.
The threat is global. Data has become the single most desired currency in the 21st century, with some of the world’s biggest companies, like Facebook and Google, willing to use any method to acquire it.

Prenetics is quick to point out that despite receiving US$40 million in funding from Alibaba as well as additional funding from Ping An, China’s largest insurance company, that it does not share data without consent. “Our customers decide and control how their individual information will be used and who to share it with,” Wong says.
“This restricts all third parties, including our investors and business partners, from accessing our customer’s data.”
MacDonald is even more emphatic. “We don’t sell or share client data, no exceptions whatsoever,” he says.

With little in the way of regulation for DNA testing in Asia – in any of its forms – to hold companies in check, trust is now all. In Japan, where government regulations are traditionally onerous and DTCGT’s are the most prevalent in Asia, there are other issues. A group working with the Japan Science and Technology Agency found that in the country’s DNA testing climate there was “guidance but no rules and regulations” and that tests diagnosing disorders should come with professional medical advice.
Because of the lack of similar laws and regulations throughout Asia, the onus falls on the consumer to be vigilant and understand the implications of a DNA test. The hard questions have to be asked in the search for a reputable testing company because if your data is being compromised, you become the product. And once your data is out there, it is next to impossible to get it back. 

Source: South China Morning Post

Share this link: