Online genetics testing company 23andMe filed an updated SEC filing with additional details regarding the October cyber breach of its corporate servers.
Originally, the company said that the only details that were accessed by the hacker known as Golem were names and addresses of clients.
The new filing states that the breach occurred when the hacker was able to access a very small percentage of users (.1% of all users) who used the same password and login for the website as they had used on other sites.
That .1% equals roughly 14,000 accounts and the hacker was able to access the ancestry information of these users.
From here the hacker was able to access details on 5.5 million additional accounts through the company’s DNA Relatives feature which links users with genetic relatives.
This data includes names and predicted relationships, as well as ancestry reports.
A small percentage of the original 14,000 users also had personal health information accessed health-related information based upon the user’s genetics.
The company anticipates a financial impact of between $1 million to $2 million during the company’s fiscal third quarter related to technology consulting, legal fees, and other outside consultants.
This does not include any potential losses that might be incurred from lawsuits resulting from the breach.
While data breaches have become increasingly common in recent years, the breach of a high-profile company related to personal genetic information has given many people pause.
The interconnectedness of the data on 23andMe puts nearly all users at risk based on the actions of just a few users.
The non-profit research group The Center for Genetics and Society believes that data breaches involving genetic information are far more serious than credit card breaches.