The latest chapter of a 23andMe hack took a new turn to the dark side.
The company is now allegedly blaming its affected users for a breach, which reportedly saw the theft of genetic and personal data from a total of 6.9 million users.
In what is becoming, unfortunately, a normal move for companies impacted by cybersecurity incidents, 23andMe looks to have resorted to legal channels to fight a battle — one against its users
On January 3, TechCrunch published a 23andMe legal letter reportedly sent by the company to the victims of the breach. 23andMe is facing over 30 lawsuits from affected users.
The 23andMe hack began in October after cybercriminals breached the system using a technique known as credential stuffing — the use of passwords obtained from previous attacks.
Soon, exfiltrated DNA data was leaked and surfaced online.
At first, 23andMe assured users they did not have “any indication that there was a data security incident within their systems”, and it was reported that the breach only affected about 14,000 accounts.
But matters soon escalated, with 6.9 million users affected, partly via the DNA Relatives feature, which allows 23andMe users to share information with other users.
By the time the dust settled, hackers had left the digital scene with DNA digital data, names, relationship labels, family trees, birth data, locations, ancestry reports, health data, and much more.
This led to more than 30 lawsuits filed against the company and an interesting response to those lawsuits.
Passwords, Smoke and Mirrors, and Lack of Access Security
From the first communication, 23andMe blamed the hack’s victims.
When they described how attackers gained access, they said:
“After learning of suspicious activity, we immediately began an investigation. While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked.”
In the new letter — sent to victims by the company’s lawyers and made public by TechCrunch — they continued down the same responsibility-deflection path.
“…Users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.
“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA.”
The CPRA is the California Privacy Rights Act, and in the letter, 23andMe also denies having violated the California Confidentiality of Medical Information Act (CMIA), the Illinois Genetic Information Privacy Act (GIPA), and other common law violations.
Techopedia talked to Jeff Reich, Executive Director at the Identity Defined Security Alliance (IDSA), to get expert insight on the issue and bring light to an already grim and disturbing cyber attack that continues to affect users.
Breaking down the legal jargon, Reich spoke about the issue.
“This week, 23andMe struck back at their customers who are filing lawsuits, blaming them for not taking the right steps to protect their identity information.
“This is always a bad situation for all, especially the individuals affected.”
Companies Should Know Users Are Not Always Password Savvy
Any cybersecurity expert knows — and expects — users who recycle passwords do not enable MFA or fail to employ strong and unique passwords for their accounts.
READ MORE: Think Twice Before You Click that MFA Link
Therefore, companies are well aware that it is their job and their responsibility to take additional steps to secure user data. This is one of the most basic rules of authentication security and Zero Trust models where no one is trusted — not even your users.
Under Zero Trust, users must be verified and validated constantly and given the least access possible.
Furthermore, companies must deploy a robust layered security solution, ensure digital attack surface integrity, have a solid incident response plan, and, most importantly, make sure their access and authentication technologies are up to the task.
Reich told Techopedia about these responsibilities.
“Every custodian of identity information has the ethical obligation to take reasonable steps to protect that information and keep the owner of the information informed as to its status.”
The Big Cybersecurity Questions: The Simple Answers
In the end, the 23andMe cyberattack, and others, really comes down to several questions that have straightforward answers:
Should companies blame their users for password issues? Are users responsible for their security, especially on sites that contain sensitive health information such as DNA and other personal data? Should companies expect people to use safe and strong passwords?
The answer to all of these questions is “No”.
Reich broke it down in simple terms.
“Yes, we have reached the point where the vast majority of users know that using multi-factor authentication (MFA) can slow down attackers. We should all be using that tool.
“Regardless, the victim is not the cause of the issue here. This could be compared to a situation where a shop has holes in the floor customers walk on, and the shop owner puts up a little sign on the front door saying ‘Watch out for holes.’
“When a customer trips and is injured, the shop owner should not say that they warned them of holes. The holes should have been fixed in the first place.”
If there is one thing that the security industry has learned in 2023, and perhaps before, it is that fileless attacks that include phishing, dark web password auctions, and credential stuffing are some of the most used techniques to breach systems.
Cybercriminals know that it is much easier to successfully launch and execute attacks if they have user passwords — no matter where or how they got them.
Compared to developing sophisticated malware to brute force your way into a digital system that is already fortified with the latest security software, having users’ passwords is a golden ticket.
Furthermore, these types of attacks are very difficult to detect. Naturally, any company with millions of users is well aware of these trends and should not be playing right into the hands of attackers.
While fileless attacks will continue to exist and thrive, one thing is certain: incidents will continue to exist. We do not expect companies to be able to shut down every single cyberattack. That is an impossible task.
READ MORE: The Best Password Managers for 2024
The difference is that while some companies take responsibility and ownership of their security, are transparent with users, and strive to remediate security incidents, others do not. One thing is certain, blaming users for the passwords used is undoubtedly a big no-no, especially if you deal with DNA.
As Reich told Techopedia:
“Identity is the new security perimeter and, with DNA, it may be the last frontier for the protection of individuals.
“We cannot treat this lightly and we must all take steps to protect our own identities and ensure that the custodians of our information demonstrate that they take this responsibility seriously.”