ADVERTISEMENT

Flaws and breaches plague DNA-testing services DRAFT

Business Digital Index research indicates significant gaps in cybersecurity practices across the DNA testing industry. Most of the top consumer DNA services score a D or less in cybersecurity.

DNA testing, genetics

Image by Cybernews.

Ernestas Naprys
Ernestas Naprys Senior Journalist
Apr 10, 2025 Updated: 3 June 2025 6 min read

What did we find?

Let’s break down the results

  • 100% (40) of companies had SSL misconfigurations.
  • 85% (36) of companies had data breach incidents recently.
  • 78% (31) of services had system hosting issues.
  • 75% (30) were also affected by email security issues.
  • 68% (27) of subjects had issues with their web application security.

What did we learn from privacy policies?

ADVERTISEMENT
  • Full name, contact details, date of birth, gender, and address
  • Payment details
  • Genetic information (raw DNA data, genetic reports, ancestry, health traits, and predispositions)
  • Self-reported information (health conditions, family history, ethnicity, and lifestyle data), sample information (saliva, blood, and other biological samples linked to the individual’s account)
  • Web behavior information (IP addresses, device data, browsing patterns, cookies, and geolocation data)

Which companies did we analyze?

Niamh Ancell Jurgita Lapienyte Gintaras Radauskas Konstancija Gasaityte
Don’t miss our latest stories on Google News
Add us as your Preferred Source on Google.

What should companies do to improve their scores?

  • Enhance security measures: regularly patch and update software, fix vulnerabilities like SSL misconfigurations, and audit systems for weaknesses such as poor email security and outdated web applications
  • Minimize data collection: collect only the essential data needed for service provision, avoiding excessive data collection that might increase exposure
  • Use strong online security measures, such as strong encryption methods and multi-factor authentication (MFA), and access on a “need-to-know” basis. Be transparent by describing them in privacy policies
  • Offer users an easy way to delete their data and ensure that anonymized data used for research cannot be re-identified. Provide a policy for deleting backups and data stored in archives
  • Limit third-party sharing of sensitive data to only trusted, essential partners and ensure third-party providers (including research, payment, and marketing) comply with industry-standard security practices and have clear data protection policies

Research Methodology

  1. Software Patching – 30%. BDI scans internet-facing system software versions, checks for known vulnerabilities.
  2. Data Breach History – 25%. BDI reviews public breach databases for exposed data, analyzes past incident records.
  3. Web Application Security – 15%. BDI scans for common vulnerabilities, checks security headers and configurations.
  4. Email Security – 15%. BDI verifies SPF, DKIM, DMARC implementation, authentication measures, anti-spam and encryption practices.
  5. System Reputation – 5%. BDI checks IP/domain blacklists, malicious activity history, scans for unexpected open ports.
  6. TLS/SSL Configuration – 5%. BDI reviews certificate validity, protocol versions, cipher strength and tests for SSL/TLS vulnerabilities.
  7. System Hosting – 5%. BDI evaluates hosting providers, and CDN implementation, checks geographic distribution.
ADVERTISEMENT