By now, we have all heard of direct-to-consumer DNA testing services. They have grown in popularity in recent years in large part because, as humans, we are innately curious, and given the digital transformation underfoot, digitizing DNA is no longer far-fetched. I was first of the opinion that little argument could be made about the validity and utility of such consumer DNA testing services beyond satisfying our curiosity about our past, but I recently changed my mind after learning about the medical research and advancement that such initiatives could bring.
There is no doubt that consumer DNA testing is here to stay, but we still need to ponder: Is the digitization of our DNA the safe thing to do?
Here is the great debate: Just because we can digitize or consumerize our DNA, should we? Is digitizing DNA merely out of curiosity worth the risk of a breach? On the other hand, the digitization of human DNA for science and medical research purposes could bear great fruit if it helps unearth a cure to a fatal illness. If you consider that your DNA is the ultimate personally identifying information (PII), its dark web street value could be sky high. Hackers are more than likely taking a hard look at how it might benefit them to break into the troves of DNA that live on these direct-to-consumer DNA sites. How would you feel if your DNA was suddenly out there on the dark web, free for the taking? And now that we have seen the first mega breach in the sector, what are the implications?
DNA As The Ultimate PII
Digitizing DNA falls under an emerging field dubbed “cyberbiosecurity,” which explores the slew of risks that can come with the increase in digitization in life sciences. In the case of DNA and the potential fallout should it be stolen by a hacker, the implications are vast.
While having your Social Security number stolen is certainly an invasion of privacy and can wreak havoc on your ability to prove you are who you say you are (if someone were to masquerade around as you, using your Social Security number as proof), it is not nearly as invasive as having your DNA stolen — your DNA is permanent, unchangeable. You cannot simply get new DNA like you could replace your Social Security, credit card or bank account number.
The digitization of our DNA means that it is held in some organizational database and the usage of it is somewhat unknown to us. The closure of a criminal cold case through the matching of a consumer DNA database with a police database is just an example of these potential usages. And though hackers have yet to monetize digital DNA to start a concerning trend for our identities, the more critical aspect is the mere fact that once digitized, individual DNA can then be compromised, stolen and used by criminals for any purpose.
While years ago, the idea of digitizing DNA seemed like a futuristic theory at best, it is now our reality. There are vast implications from a privacy standpoint — is it now OK for an employer to ask for your DNA to see if your genetic makeup makes you a fit for a particular role? Where do we draw the line on what is considered oversharing our personal details? And importantly, where do we stop and consider not just the privacy implications but the security implications?
Hacking humans will continue. It remains the easiest inroad for hackers to break into corporate networks, trolling for invaluable data, whether it be for selling on the black markets or to halt company operations entirely, seeking millions of dollars in ransom. The addition of DNA as a new avenue for hackers to explore is yet another new frontier that cybersecurity professionals need to face head-on.
We cannot stop innovation and progress, and we probably cannot stop hackers from exploiting these innovations, but we can surely slow them down. As consumers, we have a choice to understand how our digital DNA is stored and secured, how it is used and when it is breached. We can demand that the organizations breaking ground in this area also break ground in securing this highly valuable personal information. If we, as consumers, have become inured to data breaches to the point of not paying much attention, this is an area where we need to wake up and be alert. The alternative could be to pay the ultimate identity theft price.
This article originally appeared on Forbes.com.