Flaws and breaches plague DNA-testing services


Cybernews research indicates significant gaps in cybersecurity practices across the DNA testing industry. Most of the top consumer DNA services score a D or less in cybersecurity.

Using only publicly available information, the Cybernews research team analyzed the security of 40 popular genetic testing and DNA report services, including 23andMe, MyHeritage, Sequencing, Ancestry, and others.

The analysis was conducted using the Cybernews Business Digital Index (BDI). The platform uses custom scans, IoT search engines, IP and domain name reputation databases to assess companies based on online security protocols and detailed reviews of privacy policies.

ADVERTISEMENT

What did we find?

The scans reveal that DNA-testing firms use a wide range of unpatched software with glaring critical vulnerabilities, unsafe web applications, email services lacking verification and anti-spam features, and domains with SSL misconfigurations.

Moreover, 34 of the 40 analyzed firms (85%) were exposed to recent data breaches, and twenty (50%) had had their corporate credentials stolen.

“This indicates that a large portion of the companies are not adequately protecting user data, making it vulnerable to breaches, theft or misuse,” said Neringa Macijauskaitė, information security researcher at Cybernews.

The review of privacy policies uncovered additional risks. Around 70% of companies share collected user data with research partners, and 55% share it with marketing and advertising services. Many firms specified long data retention.

“Most companies gather extremely sensitive and extensive information about their customers, including personal, genetic, device, health, and lifestyle information, such as alcohol consumption or smoking,” Macijauskaitė explained.

Sharing information with many third parties makes data breaches more likely, increasing the risk of exposing sensitive details, such as genetic data.

Only about a quarter of the firms detail important privacy and security measures, such as the type of encryption used, data storage location, authentication, ISO standards, and others.

ADVERTISEMENT

“The rest often use vague terms like ‘encrypted,’ ‘secure,’ or ambiguous phrases like ‘reasonable safeguards.’ If genetic data and personal details are not securely stored, they become vulnerable to cyberattacks or unauthorized access,” the researcher warns.

Let’s break down the results

Researchers evaluated the cybersecurity efforts of the DNA testing services by assigning scores ranging from A to F.

According to the BDI results, 13 out of the 40 DNA testing services received an F grade, and another 13 firms received a D. Only two services scored an A, with an additional two achieving a B-level cybersecurity rating.

“90% of the companies were graded C, D, or F, and none of the most well-known consumer-oriented DNA-testing companies fared well in this test,” Macijauskaitė said.

The scores are similar to the ones assigned to the 100 largest US hospitals and health systems – 79% of which received a D or worse.

To avoid potential exploitation risks and comply with disclosure requirements, the Cybernews research team opted not to publicize the specific scores for companies and their individual findings.

Here’s how the DNA-testing firms fared:

  • 100% (40) of companies had SSL misconfigurations.
  • 85% (36) of companies had data breach incidents recently.
  • 78% (31) of services had system hosting issues.
  • 75% (30) were also affected by email security issues.
  • 68% (27) of subjects had issues with their web application security.

Cybernews researchers also discovered that ten of the analyzed firms had software with critical vulnerabilities exposed.

ADVERTISEMENT

“One of the analyzed firms had 23.502 corporate credentials stolen, with the latest data breach just from 8 days ago. We also found that 43% of its employees reuse breached passwords in different accounts,” Macijauskaitė said.

Problems with SSL configurations, exposed credentials in data breaches, problems with system hosting can leave user data exposed to attacks or unauthorized access.

What did we learn from privacy policies?

The data handled by DNA-testing companies is highly sensitive as it includes personal identifiers and private genetic information, health conditions, and lifestyle factors.

Most of the DNA-testing companies commonly collect personally identifiable information, including:

  • Full name, contact details, date of birth, gender, and address
  • Payment details
  • Genetic information (raw DNA data, genetic reports, ancestry, health traits, and predispositions)
  • Self-reported information (health conditions, family history, ethnicity, and lifestyle data), sample information (saliva, blood, and other biological samples linked to the individual’s account)
  • Web behavior information (IP addresses, device data, browsing patterns, cookies, and geolocation data)

This type of data can reveal a person’s susceptibility to certain diseases, genetic predispositions, and even personal traits, making it a prime target for misuse or exposure if not properly protected.

Most services retain personal and genetic data as long as the account is active or until the user requests deletion. The most common specified retention period for genetic data was 5-10 years.

“Data retention periods vary widely. Some companies retain data until account deletion, while others store genetic data for up to 10 years or indefinitely for research purposes or legal compliance,” Macijauskaitė said.

She warns that data on health, genetic predispositions, and lifestyle choices could be used for targeted marketing, insurance risk assessments, or other commercial purposes.

ADVERTISEMENT

The Cybernews researchers estimate the overall privacy risk level for most DNA testing services as “Medium” (87.5%). Only four services approached “Low” risk (10%) due to strong encryption, clear consent management, and limited third-party sharing.

One service received a “High” privacy risk score due to its operations in China, where national laws could potentially allow government authorities to access sensitive user data without explicit consent.

Which companies did we analyze?

The 40 analyzed companies were based in various regions globally, from the US to India. They provide a range of genetic testing and analysis services.

Some, such as 23andMe, Ancestry, and MyHeritage, offer DNA testing kits. Customers submit a sample for analysis and receive insights into their ancestry, health, and genetic traits.

Niamh Ancell BW jurgita Gintaras Radauskas Konstancija Gasaityte profile
Don’t miss our latest stories on Google News

Others, like Promethease, Xcode Life, and NutraHacker, allow users to upload genetic data from external services to generate reports on health, wellness, and lifestyle factors.

The diversity of these companies spans from large-scale providers to niche platforms focusing on specific genetic data points, such as fitness or nutrition.

What should companies do to improve their scores?

Ensuring user data is secure and transparent communication about security and privacy measures is paramount, especially when dealing with sensitive genetic user data.

ADVERTISEMENT

Cybernews researchers suggest key considerations as follows:

  • Enhance security measures: regularly patch and update software, fix vulnerabilities like SSL misconfigurations, and audit systems for weaknesses such as poor email security and outdated web applications
  • Minimize data collection: collect only the essential data needed for service provision, avoiding excessive data collection that might increase exposure
  • Use strong online security measures, such as strong encryption methods and multi-factor authentication (MFA), and access on a “need-to-know” basis. Be transparent by describing them in privacy policies
  • Offer users an easy way to delete their data and ensure that anonymized data used for research cannot be re-identified. Provide a policy for deleting backups and data stored in archives
  • Limit third-party sharing of sensitive data to only trusted, essential partners and ensure third-party providers (including research, payment, and marketing) comply with industry-standard security practices and have clear data protection policies

Research Methodology

The Business Digital Index (BDI) is a new initiative by Cybernews designed to evaluate the cybersecurity of organizations worldwide. It aims to provide a clear, transparent, and independent assessment of cybersecurity management.

The BDI report uses custom scans, IoT search engines, and IP/domain name reputation databases to assess risk across seven key areas: software patching, web application security, email security, system reputation, SSL configuration, system hosting, and data breach history.

Key Components (100% total) of the score are as follows:

  1. Software Patching – 30%. BDI scans internet-facing system software versions, checks for known vulnerabilities.
  2. Data Breach History – 25%. BDI reviews public breach databases for exposed data, analyzes past incident records.
  3. Web Application Security – 15%. BDI scans for common vulnerabilities, checks security headers and configurations.
  4. Email Security – 15%. BDI verifies SPF, DKIM, DMARC implementation, authentication measures, anti-spam and encryption practices.
  5. System Reputation – 5%. BDI checks IP/domain blacklists, malicious activity history, scans for unexpected open ports.
  6. TLS/SSL Configuration – 5%. BDI reviews certificate validity, protocol versions, cipher strength and tests for SSL/TLS vulnerabilities.
  7. System Hosting – 5%. BDI evaluates hosting providers, and CDN implementation, checks geographic distribution.

The analyzed companies need to score 95 points or more to receive an A grade (low risk). All scores below 70 are considered an F, or “Critical risk.” The detailed BDI methodology can be found here.

The privacy policy risk estimations focused on several critical criteria, including the types of user data collected, the purposes for which the data is used (internal services, research purposes, marketing, and others), data storage and retention practices, genomic data handling, third-party data sharing, data selling, and opt-out options.

Based on these evaluations, companies were assigned a privacy risk score categorized as Low, Medium, or High.

ADVERTISEMENT