The DNA testing company 23andMe has had a rough few months – first reported in October that data had been breached – and now, the response to those breaches due to customers taking legal action against the company. In an almost bizarre twist, 23andMe has stated in a letter that plaintiffs who had moved to take legal action against the company under the California Privacy Rights Act (CRPA) were indeed not affected by any security breach under the CRPA. The reason? It was all their fault. Legal eagles for 23andMe explained: “23andMe believes that unauthorized actors managed to access certain user accounts in instances where users recycled their login credentials…” It went on to say that users were negligent in failing to update passwords affected by previous data breaches unrelated to 23andMe.
The real kicker, however, was the assertion in the same letter that the “information that was potentially accessed cannot be used for any harm.” Nick Rago, field CTO at Salt Security explained why this statement is foolhardy:
“In this age of sophisticated social engineering attacks, any claim that a data breach can not cause “pecuniary harm” because it did not consist of social security numbers, driver’s license number, or credit card data has to be done tongue in cheek. In 2023, we saw how social engineering tactics used as a first wave of an attack campaign have wreaked havoc for not only consumers, but for large corporate entities as well.”
He went on to say: “Exposing any genealogy or relationship information would be quite useful to an attacker when building a targeted social engineering attack, whether it be targeted at scamming a consumer, stealing an identity, or as a phase of a more sophisticated attack campaign, such as getting privileged system access in a corporate infrastructure.”
Erfan Shadabi, Cybersecurity Expert at comforte AG, agreed adding: “Attributing the entirety of blame to users is a flawed argument that oversimplifies the complex landscape of cybersecurity. While it is true that users have an obligation to follow best practices for account safety, companies also have an obligation to protect the sensitive information that has been entrusted to them.”
While Darren Guccione, CEO and co-founder of Keeper Security, said: “Attributing isolated responsibility to users often overlooks a pervasive responsibility of an organisation to implement robust security measures and facilitate cybersecurity best practices among its users. Generally, there is a fiduciary obligation for organisations to protect collected, sensitive and confidential information of its users, employees and other stakeholders. Aside from robust internal controls and technology applications to protect privacy, security and confidentiality of sensitive digital assets, strong password requirements and mandatory multi-factor authentication are two critical measures that can protect user accounts. 74% of breaches involve the human element – with the majority consisting of stolen or weak passwords, credentials and secrets. Password management software applications serve this purpose.”
Aside from the technicalities, Eskenzi PR‘s co-founder, Yvonne Eskenzi describes the situation as poor PR. “From a crisis comms standpoint, 23&me’s response to its breach misses the mark completely. In the wake of a cyberattack, the impacted company needs to act quickly to provide customers with factual, honest, and up-to-date information,” she said. “In the case of the 23&me breach, the decision to blame the victims has fuelled negative press, dodged responsibility, and failed to express any compassion towards those impacted. While this is probably heavily driven by the company’s legal department, the letter’s tone will likely anger customers and fuel backlash. Ultimately, in many cases, the average person may not know that their password has been compromised elsewhere. It is up to an organisation to make sure that its security measures are robust enough to mitigate any end-user risk. Publicly downplaying the risk and deflecting blame is undoubtedly poor PR.”
Though 23andMe and other genealogy companies have since taken steps to increase protection measures on customer accounts, Shadabi says there’s more that can be done.
“It is admirable that 23andMe has taken the recent step of requiring two-factor authentication (2FA) to strengthen defences against credential stuffing attacks,” he said. “But concentrating just on account-centric security is not enough. Businesses like 23andMe should pair 2FA with a strong data-centric security plan. Since compromised information can be used for identity theft, insurance fraud, and other nefarious actions, protecting the data itself is crucial. Tokenization, access controls, and frequent audits can be put into place to strengthen the security posture overall and lessen the effect of possible breaches.”
To further strengthen technical controls, behaviour and anomaly detection are also crucial. “It is important for organisations to keep in mind that attackers are getting very good at staying below the radar and masquerading attack traffic as normal traffic. Traditional edge web defences lack the behavioural anomaly detection needed in many cases to detect adversarial activity. It is important to add behavioural threat protection in an organisations’s security arsenal to combat this new generation of threats,” explained Salt Security’s Rago.
Guccione sees shared responsibility as the best way forward. He said: “A culture of shared responsibility for security, where both the organisation and its users play a role, can promote a resilient and secure environment, which is why users must advocate for their own cybersecurity as well. It is imperative for everyone to practise good cyber hygiene by using strong and unique passwords for all accounts on every device. To achieve this, it is essential to use a password manager – this will create high-strength random passwords for every website, application and system and further, will enable 2FA to protect against remote data breaches. A password manager is a critical first-line of defence against ransomware and the most common attack vectors in a data breach.”
Perhaps Colin Little, Security Engineer at Centripetal summed up the graveness of the precedents that are set in this case best:
“The real people who suffer in large data breaches, truly, is the individual consumer in the end. The fact that people’s genetic ancestry results have been stolen in this breach opens entirely new possibilities for data extortion and identity theft. Too often the names of political figures and celebrities are in the news due to some scandal of affiliation, and now the bad guys have those affiliations genetically mapped out for them.”