As we kick off the new year, businesses and organizations will set new goals, implement fresh strategies, and work towards new milestones. If there’s one thing that never quite makes it on the list, it’s cybersecurity. Not as exciting as marketing, nor as “central” to business as operations, cybersecurity is often relegated to the realm of a business afterthought, usually prompted by a reminder that your Norton Antivirus subscription is ending soon. To ensure we start the year with security top of mind, let’s revisit the 23andMe data breach of 2023.
The genomics testing agency left customers infuriated and frustrated following assertions that the fault for the data breach lies with customers and not the company. With class action suits, SEC filings, and millions of disgruntled users, 23andMe’s data breach serves as a cautionary tale for why your cybersecurity strategy needs to be a New Year’s priority. Spoiler alert: customers don’t like it when their personal data is exploited by hackers and it’s blamed on password recycling and customer negligence.
Here’s a breakdown of events and course of action 23andMe has since taken.
Houston, We Have a Problem
In a filing with the Securities and Exchange Commission (SEC), 23andMe confirmed that they experienced a data breach on October 1, 2023. In their written statement, the company admitted that 14, 000 customers were directly affected, highlighting that this represented 0.1% of their entire customer base. The problem, however, is that 23andMe’s opt-in function was exploited. This is a popular service that allows users to share their DNA information across the database and match it with potential relatives. In accessing the DNA Relatives feature, the number of exposed customers rose exponentially to 6.9 million users. The hackers also retrieved sensitive biological data from another subset of customers, including information related to medical conditions. This data later surfaced on the internet, as the hacker(s), under the alias “Golem”, advertised “raw data profiles” for up to $100, 000. Naturally, this raised alarm bells and the ire of customers, whose privacy was grossly violated. This is what prompted the class action lawsuit.
“We’re Not to Blame,” Says 23andMe
In a statement that reeks of absolution, 23andMe said that threat actors could gain access to the initial 14, 000 accounts because the users had recycled login details, using the same email/username and password combination across multiple sites. According to the genetic testing company, the weakness in personal security is what led to the incident, as hackers were able to target individual accounts based on information obtained from other websites’ data breaches. The company maintained that their security measures were “reasonable” and that they fully comply with the California Privacy Rights Act (CPRA), which should warrant any claims against them null and void.
With regard to the exploitation of the DNA Relative feature, which made an additional six million users vulnerable, 23andMe chalk that up to voluntary sharing of information, and argue they hold no liability on that front either. Cybersecurity experts don’t seem to share this opinion, citing simple best practices like two-factor authentication as an easy preventative measure that companies with sensitive data should employ. As 23andMe is a company processing the very essence of personal information, experts believe more should and could be done to protect customers who are paying for their services and trust(ed) that this information is protected and safe.
In perhaps a final “salt in the wound” statement, 23andMe grossly downplayed the nature of this violation, stating that the information the hackers accessed could not be used to cause “pecuniary harm” as social security and credit card information was not available. In short, despite strangers on the internet selling your genetic data sets to nefarious individuals, corporations, or organizations, the good news is you won’t be scammed financially. While the legal rebuttal 23andMe provided may be sound and holds up in court, this approach certainly escalated the issue from data concerns to a scandal, largely due to the poor attention to customer trust, respect, and loyalty.
Cybersecurity Experts Weigh In
Bacus v. 23andMe, Inc. is the class action suit filed on behalf of victims of the data breach, who allege that the genetics company did not take reasonable measures to protect their accounts, leaving them vulnerable to exploitation. Cybersecurity expert, Erfan Shadabi, criticized 23andMe’s response, stating that while customers have a responsibility to adhere to best practices in password management, ultimately, companies are required to stay abreast of threats to customer data, especially when sensitive information is being volunteered.
Field Chief Technology Officer at Salt Security, Nick Rago, added that the assumption that no harm was done because financial information was not compromised is “outdated”. He indicated that knowledge of familial relationships and genealogy could be incredibly useful to threat actors involved in sophisticated, targeted scams. Security questions like “what was your mother’s maiden name?” and “what city were you born in?” are all freely available to hackers, allowing them to further compromise a user’s data. The fact remains, that a wealth of sensitive, personal information was accessed by hackers, and with the proliferation of AI, hackers have the ability to craft material to assist in their targeted social engineering campaigns, making this incident all the more egregious.
Where it Landed
23andMe remain steadfast in their assertion that what happened between the period of October 1st and December 6th was not a data breach, but rather a credential-stuffing campaign. They point out that in some instances, the origin of the data leak was from other websites and platforms, and because the exact login details were used, customers fell prey to threat actors. They’ve since reached out to their users and enforced a mandatory password reset and the setup of two-factor authentication. This has already had a ripple effect across the industry, with competitor sites Ancestry and MyHeritage instituting similar updates to their user security.
To truly understand the scale of the scandal, the US National Security Agency’s cybersecurity director, Rob Joyce, added his take on the issue through his private account on X (formerly Twitter), as a 23andMe user. He noted with concern that while the company had disclosed the incident was a credential-stuffing attack, they remained vague on how the compromised accounts were selected for the stuffing. As the country’s cybersecurity expert, Rob was particularly surprised his account was targeted, as he mentioned that he creates unique emails for each new user account he signs up to. Essentially, his details could not have existed in any other corner of the web. He writes, “Personal opinion: @23andMe hack was STILL worse than they are owning with the new announcement.”
Conclusion
23andMe is no small organization, with 14 million user accounts. Since they process sensitive personal data, maintaining robust security measures and fostering trust is pivotal for success. But in cybersecurity, company size doesn’t matter. The fact is, a data breach has a devastating effect on its victims, no matter how few they may be.
In 2024, avoid being surprised by hackers and threat actors, and be proactive in safeguarding your business against the ever-increasing onslaught of cyber crimes. Sit down with your IT managers to devise a sound strategy based on a thorough risk analysis. Ensure employees are well-equipped to spot a suspicious email or transaction a mile off and communicate with customers to prevent negligence and poor password management. Above all, develop robust policies and invest in sound cybersecurity solutions, giving you and your customers the ultimate peace of mind.
