No apologies: victims of 23andMe data breach blamed for reused passwords

Was poor password security behind the 23andMe data breach?
1 February 2024

Who’s to blame for the 23andMe data breach?

• Who’s to blame for the 23andMe data breach?
• Company claims there’s no merit to the claims of the victims.
• Meanwhile, victims are gathering eivdence and building cases.

When a company suffers a data breach, victims are generally issued with an apology and a request for forgiveness, to maintain overall public trust. Not if you’re 23andMe!

The publicly held personal genomics and biotechnology company has been blaming victims of its recent data breach for the attack that compromised their data. Why? Because users have allegedly recycling their login credentials and been negligent in failing to update passwords that were affected by a previous data breach. Therefore, hackers could access certain user accounts, with the breach estimated to have affected 6.9 million users.

That’s a lot of blaming to do.

Victims of the breach have been pursuing a class-action lawsuit against 23andMe, but the company has responded, urging those who are suing to “consider the futility of continuing to pursue an action in this case.” According to 23andMe, the users’ claims have zero merit and any information that may have been accessed “cannot be used for any harm.”

What the hack happened?

Close to 7 million 23andMe customers had their data compromised by an anonymous hacker who accessed around 14,000 account profiles (around 0.1% of the site’s 14 million users) before posting them online for sale. It is believed the hacker used previously breached security details from other websites. This tactic, known as credential stuffing, allowed the hacker access to the information of users signed up to the DNA Relatives feature. From here, they could view the percentage of DNA shared by the users and any health-related information.

Privacy advocates have warned against DNA sharing on sites like 24andMe in the past, as it can result in the exposure of sensitive details regarding a person’s genetics and the health risks of them and their relatives. Because so many users share their genetic information with other users, the hacker in 23andMe’s case was able to access the information of millions more.

23andMe claims no fault

So far, over 30 lawsuits have been filed against 23andMe, but the company continues to claim the cases are meritless. Right now, courts are yet to weigh in on the matter. However, one US District Court determined that over 100 users had credibly claimed damages exceeding $5 million. The users accuse 23andMe of violating certain state laws, such as the California Privacy Rights Act (CPRA), which is considered the most stringent consumer privacy law in the U.S.

According to the CPRA, any business that gathers sensitive data is required to implement “reasonable security procedures.” However, this legislation does not define what constitutes reasonable measures. It is this vagueness that 23andMe is using to argue its case. The company argues that users “negligently recycled and failed to update their passwords” in the aftermath of previous security breaches. Therefore, they are to blame for this hacking. According to a 23andMe letter, “the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA.”

Affected users are prepared to fight, though, also alleging that 23andMe is liable for compensation related to the devaluation of their personal information, emotional distress, and expenses for addressing the repercussions of the breach. The victims are also seeking a court order compelling 23andMe to surrender all profits retained due to its “failed promise to safeguard their data.”

With so many victims suing, efforts are being made to consolidate the cases via multidistrict litigation, to limit the court’s burden.

23andMe data breach claims could be foolhardy

Password recycling - the cause of the data breach?

Password recycling – the cause of the data breach?

The fact that 23andMe claims the “information that was potentially accessed cannot be used for any harm,” is considered foolhardy by many security experts. 23andMe has dismissed the potential harm of the data breach based on the absence of traditional sensitive information, including credit card details, driver’s license numbers, and social security numbers.

The issue with this is that relation and genealogy information has been exposed, which can potentially be very useful for attackers aiming to make a targeted social engineering attack. Such attacks could scam consumers, steal identities, and help them gain access within corporate infrastructures.

While users have an obligation to follow security practices to keep their information safe, companies also have a responsibility to protect their customer’s sensitive data. After all, users have entrusted the company with that information.

23andMe has taken steps to up its security game, introducing two-factor authentication (2FA). Nevertheless, security experts do not think account-centric security is enough. Instead, companies need to combine 2FA with robust data-centric security plans to avoid future credential stuffing attacks. Data can be used for insurance fraud and identity theft, so it must be protected vigilantly.

Anomaly and behavior detection are also important if technical controls are to be strengthened. Attackers are finding new and improved ways of hacking, making attack traffic look like standard traffic. So advanced behavioral threat protection is needed to fight the growing number of dangerous threats.

When we consider this 23andMe security breach, it seems instinctively unfair to say the victims are at fault. But some, including judges, may agree with 23andMe, saying that the users had a responsibility to secure their accounts after previous attacks. Whether shared responsibility is the answer is up to the courts to decide. Expect more backlash towards 23andMe to come.