What’s the most valuable piece of data owned by individuals? A look at recent data breaches suggested that financial information is sought by malicious actors to generate short-term gains, while health care information offers long-term opportunity for cybercriminals to wreak havoc.
According to Threatpost, however, a pair of Stanford researchers have now upped the ante by discovering a vulnerability in The Beacon Project, a genome sharing network. With enough motivation, time and effort, it may be possible for cybercriminals to uncover critical genetic information about specific individuals.
Vulnerability in a Post-Privacy World
All users assume some risk by leveraging online services. In the case of sites like Facebook, for example, real names, addresses and even birthdates may be up for grabs if someone hacks the network, while compromised bank databases could mean thousands lost to fraud. The result is a kind of lowered privacy standard that has users exchanging a measure of their safety for access to certain services or products. But a recent Travelers survey suggested that privacy concerns aren’t so old-fashioned just yet: The report found that 6 out of every 10 Americans “worry about losing personal information or privacy,” with one-quarter of those “worrying a great deal.”
Consider recent issues surrounding Microsoft’s new OS, Windows 10. The company built in a number of data collection measures that it claims help improve system performance and health, CSO Online reported. Users can opt out of some collection but not all; according to Corporate Vice President Joe Belfiore, certain pieces of user data “are not personal information or are not related to privacy.” Unsurprisingly, consumers and watchdog groups do not agree.
Cracking the Code
If users are up in arms about data collected by their operating system and worried about the broader scope of identity theft, the Stanford team’s findings indicated a whole new landscape of potential threats. It goes like this: The Beacon Project allows anonymous pings to its genome servers to check incoming genetic code against what’s already stored. These beacons typically contain the genetic information of 1,000 individuals, with each record stripped of any identifying characteristics.
The use of anonymous queries, however, leads to a vulnerability: Attackers with access to an individual’s genome sequence along with The Beacon Project’s infrastructure could theoretically determine if the victim falls into a specialized group — such as people with heart disease or autism — by sending just 5,000 anonymous queries.
At first glance, this doesn’t look like a commonplace scenario since attackers need a way to obtain users’ genetic information before attempting to compromise the Beacon system. According to The Register, the Global Alliance for Genomics and Health (GA4GH) — which runs The Beacon Project — believes it has done enough to safeguard this stored information. It does acknowledge, however, that it may be possible to reidentify individuals if malicious actors already possess their genome sequence.
But here’s the bigger concern: As genome databases grow and access to this data becomes more commonplace, the distance between “unknown” and “maliciously compromised” begins to shrink. For cybercriminals, a bigger attack surface and the trickle-down effect of stored data from first to subcontracted third parties represents the ideal threat vector.
So what’s the real risk to genome data? Right now, fairly low: Attackers would need to sacrifice substantial amounts of time and effort for a relatively small return. Economies of scale, however, suggest that as the genome market broadens, this vulnerability may shift from mere research curiosity to a real-world issue.