Hacks of genetic firms pose risk to patients, experts say


Good morning and welcome to The Cybersecurity 202. We don’t have a newsletter tomorrow, but we’ll be back with you on Monday. Have any suggestions or tips? Email us at aaron.schaffer@washpost.com and tim.starks@washpost.com

Below: Thailand’s government says authorities use spyware, and a former Twitter employee is set to go on trial over charges that he was secretly giving user data to Saudi Arabia. First:

Hacks of genetic firms pose risk to patients, experts say

It’s not just schools, local governments and major private-sector firms like Colonial Pipeline getting hacked. Hackers have also hit genetic and fertility clinics, which have troves of sensitive information.

Since the beginning of last year, more than a dozen medical labs, genetic testing companies and fertility firms have disclosed breaches affecting more than 3.5 million people, according to a Cybersecurity 202 review of data breach disclosures to states and the Department of Health and Human Services .

The hacks raise questions about what can happen when genetic information falls into the wrong hands, and it’s not clear what measures the firms adopted to protect the data and what the data consists of. They also come amid heightened digital privacy concerns in the wake of the Supreme Court’s overturning of Roe v. Wade.

What are the risks for average Americans? Experts who spoke with The Cybersecurity 202 offered varying degrees of concern.

Brad Malina professor of biomedical informatics, biostatistics and computer science at Vanderbilt University Medical Center, said the risks are “highly dependent on how the adversary wants to use the data, and it’s also dependent upon the type of information that they’re trying to gain access to.”

For example, an attacker could be trying to infer the health or traits of their target, Malin said. Or they could try to determine whether two people are genetically related — but that attack would be more complex, requiring genetic information on both targets, he added.

Breached genetic information isn’t like stolen credit card numbers or passwords, which can be changed, said Natalie Rama law professor at the University of Maryland’s Carey School of Law.

“How big is the risk that someone wants to sell your genetic data on the dark web? I don’t know, maybe it’s pretty small,” said Ram, adding that genetic data is less easily exploitable by cybercriminals than financial data. “But I think it would be foolish to think that there will never be a risk and that there isn’t someone out there who’s motivated to exploit it just because it hasn’t happened yet or happened widely.”

But for high-profile politicians, the theft of genetic information could pose even greater risks.

In 2008, scholars hypothesized that presidential candidates’ DNA could be targeted and released to sway the outcomes of future elections. For example, presidential candidates could release information about their opponents’ genetic data to try to harm their chances, scholars wrote in the New England Journal of Medicine in 2008.

“Future presidential candidates should resist calls to disclose their own genetic information,” they argued. “We recommend that they also pledge that their campaigns will not attempt to obtain or release genomic information about their opponents.”

The threat of genetic theft also appears to have had an impact on the global stage. When French President Emmanuel Macron met with Russian President Vladimir Putin in Moscow in February, he declined to take a Russian coronavirus test and sat across from Putin at a comically long table, my colleague Claire Parker reports.

“We knew very well that meant no handshake and that long table,” a person with knowledge of Macron’s health protocol told Reuters. “But we could not accept that they get their hands on the president’s DNA.”

US officials have been ringing alarm bells about the security of genetic information.

Some of those warnings have centered on China, which US counterintelligence officials say has collected troves of Chinese genomic data for surveillance in the Xinjiang region, where China has launched a harsh crackdown on the local Uyghur population.

China is also expanding its sights internationally, they warn. “China’s access to US health-care and genomic data poses serious privacy and national security risks to the US,” the US government’s National Counterintelligence and Security Center warned last year.

“Your DNA is the most valuable thing you own,” the center said. “It holds the most intimate details of your past, present and potential future — whether you are prone to addiction or high-risk for cancer. It is your unique genetic code and can enable tailored health-care delivery to you.”

In 2019, the Pentagon warned soldiers about using commercial DNA tests, with top officials writing that “exposing sensitive genetic information to outside parties poses personal and operational risks to Service members,” Yahoo News reported.

A document prepared by the US government and private sector partners also warned about the security risks of commercial genetic tests. “As with any digital information, it could be exposed in a data breach,” it warned.

Thailand says it uses spyware after civil society reports Pegasus infections

Thailand’s Minister of Digital Economy and Society Chaiwut Thanakamanusorn admitted to the country using spyware, but he did not say which surveillance tools authorities used, who was targeted or which government agencies had access to the tool, Reuters‘s Panu Wongcha-um reports. The acknowledgment by Thanakamanusorn comes days after researchers announced that dozens of Thai activists and supporters had been hacked using NSO Group’s Pegasus spyware.

“It is used on national security or drug matters. If you need to arrest a drug dealer, you have to listen in to find where the drop would be,” Thanakamanusorn said. “I understand that there was usage of this sort, but it is very limited and only in special cases.”

Thailand’s police have denied using Pegasus, and Thanakamanusorn’s ministry previously said it didn’t know anything about the matter, Reuters reported. NSO Group didn’t respond to the outlet’s request for comment.

Former Twitter staffer heads to trial over claims he secretly gave Saudi Arabia data

Authorities arrested the former Twitter employee, Ahmad Abouammoin 2019. He’s accused of being an unregistered agent of the Saudi government and committing wire fraud and money laundering.

Abouammo was paid at least $300,000 and received a $20,000 watch from Bader Al-Asakera Saudi official who ran Saudi Crown Prince Mohammed bin Salman’s charity, prosecutors say.

“Abouammo, who was arrested in Seattle, worked for Twitter as a media partnerships manager,” my colleagues wrote in 2019. “He met Asaker in London in late 2014. Within a week, he began illicitly accessing data for the Saudis,” and one of his targets was an anonymous Saudi critic whose tweets about Saudi corruption to more than a million followers have angered Saudi officials, they wrote.

Abouammo’s attorney, Angela Chung, told the New York Times that “we look forward to vindicating Mr. Abouammo and for him to have his day in court.” Prosecutors expect Abouammo’s team to argue that he was legally working as a consultant for Saudi Arabia, the Times reports, citing a court filing. Chuang declined to comment to the Times on the strategy.

  • A Twitter spokeswoman told the Times that the company’s “information security practices undergo rigorous audits by an external auditor — as has been the case since 2012.” The company has long invested in security, updated its practices and takes threats “extremely seriously,” she told the outlet.

In 2019, prosecutors also charged another Twitter employee, ali alzabarah. Abouammo and Alzabarah are accused of sharing data with ahmed almutairi, who prosecutors say was the intermediary between them and Saudi officials. But US law enforcement is still trying to arrest Alzabarah and Almutairi. In 2019, prosecutors said they believed the men were in Saudi Arabia.

With new bills, lawmakers seek to protect election workers and outcomes of votes

A bipartisan group of senators unveiled two bills Wednesday intended to protect poll workers from violence and avert a repeat of attempts to reverse the 2020 election, as election-related threats make headlines.

The first of the two bills, our colleague Leigh Ann Caldwell reports, would clarify vague elements of the 1887 law that former president donald trump sought to exploit to overturn the 2020 presidential race outcome. For instance, it would make it harder for members of Congress to object to state results. The second measure would double ends for anyone who threatens election workers.

While the bipartisan teamwork might point to promising chances of the bills becoming law, Senate Minority Leader Mitch McConnell (R-Ky.) said the first bill “needs to be fixed,” so not all is copacetic.

The legislation arrived as Wednesday brought a grim bounty of news about attempts to undermine elections and target election-related government officials.

  • The House Homeland Security Committee listened to state government leaders and election integrity experts about the tide of threats building against election administrators. Bloomberg News recently reported on harassment of mayors and local officials as well over the 2020 election and other points of political division.
  • The Arizona Republican Party’s executive committee censored Rusty Bowersthe top GOP leader of the state’s House of Representatives, over his testimony before the Jan. 6 committee in Washington, where Bowers told lawmakers how he resisted pressure from Trump and his allies to throw out election results in his state.

Is the Secret Service’s claim about erased text messages plausible? (zero-day)

FBI flew cyber officials from Ukraine to US for training, Ukrainian official says (CyberScoop)

Data-privacy bill advances in Congress, but states throw up objections (The Wall Street Journal)

House panel’s bill would block US buyers of foreign spyware (Reuters)

Senators question school surveillance startups on abortion searches (Bloomberg)

US probes China’s Huawei over equipment near missile silos (Reuters)

Russian state media flouts European sanctions (Politico Europe)

Why did MI5 name Christine Lee as an ‘agent of influence’? (BBCnews)

Cyber ​​Command shares bevy of new malware used against Ukraine (The Record)

Romanian hacker faces US trial over virus-for-hire service (The Verge)

Tina Peters attempts to circumvent SoS, asks counties to begin recount (Grand Junction Daily Sentinel)

The growth in targeted, sophisticated cyberattacks troubles top FBI cyber official (CyberScoop)

US Cyber ​​Command exposes malware targeting Ukrainian entities (CyberScoop)

China fins Didi $1.2 billion for breaking data-security laws (Eva Dou and Pei-Lin Wu)

  • Arizona Secretary of State katie hobbs (D) speaks at a Brookings Institution event on election integrity on Tuesday at 10 am
  • The Atlantic Council hosts an event on ransomware Tuesday at 12:30 pm
  • The House Intelligence Committee holds a hearing on the national security risks of spyware Wednesday at 10 am
  • The Committee on House Administration holds a hearing on disinformation Wednesday at 10 am

Thanks for reading. See you tomorrow.

Leave a Comment