How not to deal with a data breach

In early December it was reported by Engadget that 23andMe had been hacked in October affecting 0.1% (14,000) of its customers’ accounts.  The attackers then managed to exploit 23andMe’s opt-in DNA Relative feature which matches users to their genetic relatives, gaining them an additional 5.5 million records and a further 1.4 million linked Family Tree profiles.

Whilst many organisations are suffering from this, 23andMe’s reaction can be shown to be an example of how not to react: they have blamed their victims.

23andMe take this position as they say the breach was due to 14,000 accounts from past data breaches being used for credential stuffing (automated injection of stolen usernames and paired passwords into website login forms).

In a letter to solicitors of a class action 23andMe squarely laid the blame for this with their users and suggested any claims were futile and should be desisted.

Cyber Security is rarely this black and white.  Credentials are often stolen and 23andMe could have taken action to reduce the chance of a threat actor gaining access: multi factor authentication, for example, would have resisted most credential stuffing attempts.  The absence of MFA is a basic security failure.  Furthermore the fact that hackers were able to access so many more records once inside 23andMe’s network demonstrates that they didn’t haveany controls to reduce the chance of moving around within the network.

The knee-jerk reaction of blaming the users is, in 2024, an extremely immature security posture and may cost them future earnings, as reputation is everything.

Ian Simons, our CEO, has this to say, ‘The total lack of MFA to verify the users’ identity is simply not acceptable in 2024. In addition, the traditional method of blaming your user base for the breach shows that the leadership of the organisation have a lot to learn with regards cyber security and desperately need an experienced CISO to take control of the internal policies and procedures.’

Our DPO stated, ‘This may be considered a lack of appropriate organisational security measures. The concept of human behaviour will always be the weakest link within the security chain. Password reuse although constantly discouraged, is not a new concept, and has been around since the dawn of the internet age.  Service providers should be utilising current technologies to mitigate these risks.’

That said, 23andMe aren’t the first to get the communication piece wrong and sadly they won’t be the last: earlier examples include Equifax who failed to act quickly with a known vulnerability and then lacked reporting transparency and UBER who tried to hide evidence of its hack from becoming public.

If you are unsure as to what security should be in place or what to do if you do suffer a breach, contact us at Cyber & Data Protection.