UK Biobank Data Breach: 500,000 Genomes Listed on Alibaba
Summary: Genetic, medical, and lifestyle data from all 500,000 UK Biobank volunteers was listed for sale on Alibaba after three Chinese research institutions with legitimate access violated their data-sharing agreements. The data, though de-identified, includes genome sequences, hospital diagnoses, and biological measures that experts say can be re-identified.
Data Breach Details:
This week, genetic, medical, and lifestyle data from 500,000 British volunteers was found listed for sale on Alibaba’s e-commerce platform in China, confirming a breach reported by the UK government on Wednesday. Three Chinese research institutions granted legitimate access to UK Biobank's database downloaded the data and then listed it for sale. This wasn't a hack; it was a violation of data-sharing agreements by trusted researchers.
Impact and Response:
Ian Murray, Minister of State, revealed that UK Biobank informed the government on Monday 20 April about three listings found on Alibaba, one appearing to contain data from all participants. The data was de-identified but included sensitive information such as:
- Gender
- Age
- Birth month and year
- Socio-economic status
- Lifestyle habits
- Measures from biological samples
Alibaba removed the listings before any sales were made, and the three institutions had their access revoked. UK Biobank has paused all external data access while developing a solution to prevent bulk downloads and referred itself to the Information Commissioner’s Office (ICO).
About UK Biobank:
UK Biobank is a global biomedical research resource, recruiting 500,000 volunteers aged 40-69 between 2006 and 2010. It holds vast amounts of data, including:
- Whole genome sequences for all 500,000 participants (released in full in 2023)
- Blood and urine biomarkers
- Brain and body imaging scans
- Hospital diagnosis records
- GP data
- Detailed lifestyle questionnaires
Approximately 22,000 researchers worldwide have access to the data for approved studies.
Context:
This incident highlights concerns about data security in open research data sharing models and the importance of strict compliance with access agreements.