Sure, Blame the Victim

That's a great business decision.

In December 2023, 23andMe (the DNA and Genetic testing company) disclosed that in October they had been the victim of a data breach, where approximately 14,000 user accounts had been compromised. Due to a service called “DNA Relatives” an additional, roughly, 7 million users had their accounts accessible by the bad actor(s). This article is not about the breach itself (a quick online search will provide you with all the gory details), but about 23andMe’s response this week regarding the breach, which was accomplished by “credential stuffing”, where the bad guys use legitimate login/password combinations stolen in other data breaches to access other accounts. This attack type works, because people tend (despite all our efforts) to use the same login/password combination for many accounts (financial, email, social media, etc…)

On about 1/5/24, 23andMe decided that it was a wise decision to release the following statement in a letter discouraging victims from filing lawsuits related to the breach:

“As a preliminary matter, the plaintiffs you purport to represent were not affected by any security breach under the CPRA. As set forth in 23andMe’s October 6, 2023 blog post’. 23andMe believes that unauthorized actors managed o access certain User 4CCOUNIS in instances where users recycled their own login credentials—that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe. Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA.”

While legally this statement is not wrong, the desired intent is straight bonkers! In 23andMe’s legal opinion, they are not at fault because the users were too stupid, or ignorant, to not realize they must have their own stringent password policy. I am curious if during the signup process 23andMe mentions this. Chances are it is buried in 20+ pages of policy that no one ever reads that pops up during the account creation process.

Let’s say, for the sake of argument, 23andMe is right here. I have some questions:

1. At ANY point in time did 23andMe remind users on a monthly/quarterly/yearly basis to check their passwords?
2. Did 23andMe require Multi-Factor Authentication (MFA) for all new accounts? This would have nearly eliminated this risk.
3. Did 23andMe have a login-lock procedure in place that would lock a user out after a set number of password errors? Credential stuffing is still largely a brute force attack and the attacker likely needed to try multiple login combinations to get through.

I am only mildly shocked at arrogance showed by 23andMe here. Quality Cyber Leadership is lacking everywhere. I point you to the Solarwinds CEO 2 years ago who blamed a SUMMER INTERN in the data breach that caused them grief.

I don’t necessarily have a solution here, just throwing this out there for discussion purposes here, because if 23andMe skates on this, other companies are sure to follow suit.

And one thing we, should, know for sure is that the VAST, VAST majority of folks are not cyber savvy, even on the password front (even though those of us in cyber-security land bang this drum all the time.) There are simple things companies can do to reduce this risk, like create login-failure locks, require MFA and the like. If 23andMe REALLY cared about their users, they may have made that effort rather than blame the victims.

I hope the users revolt.

#knowledgeisprotection #databreach #protectyourinfo