Image via Live Science

Who was breached?

23andMe, a distinguished biotechnology and personal genomics company, officially disclosed a data breach impacting their “DNA Relative” feature. This functionality allowed users to globally connect, sharing personal data encompassing relationship labels, ancestry reports, and matching DNA segments. The breach was brought to light when hackers, as a proof, advertised one million users of Jewish Ashkenazi descent and 100,000 Chinese users on a well-known hacking forum, soliciting potential buyers for the data at prices ranging from $1 to $10 per individual account.

As a consequence of this breach, the personal data of approximately 0.1% of their customers, estimated to be around 14,000 individuals, was exposed. Subsequently, 23andMe confirmed that an additional 1.4 million individuals who utilized the DNA Relative feature had their family-tree data compromised, including display names, relationship labels, birth year, and self-reported location. Later on 23andMe confirmed to TechCrunch (An American global online newspaper focusing on high tech and startup companies), because of an Opt-in feature which allowed DNA-relatives to contact each other, the total number of customer data that was exposed is estimated to be 6.9 million, which was less than half of the 23andMe reported customers. This breach was initially disclosed in October when user account passwords were reset by 23andMe, but the impact was not made public until this past week.  

How did this attack happen?

It was speculated that the attackers utilized credential stuffing as an attack vector, harvesting stolen passwords from other platforms and utilizing them to compromise 23andMe accounts. This method facilitated unauthorized access to user accounts linked through the DNA Relative feature, leading to the exposure of sensitive DNA Relative profile information to the perpetrators.

Users who sign up for web services commonly leave out security precautions like using unique passwords and enabling multi factor authentication. In this day and age it is extremely easy for hackers to buy lists of credentials on the dark web to attempt password spraying attacks across numerous platforms. While 23andMe is not responsible for the security hygiene of their users’ habits, actions like mandating multi factor authentication, requiring complex passwords, blocking IP addresses with high numbers of failed logins from authenticating, and monitoring for anomalous activity, can help reduce the impact of these attackers.

How did 23andMe respond?

After the initial attack 23andMe sent emails notifying customers that all account passwords were being reset and multifactor authentication was mandated. This was in October 2023 leaving customers and the public in the dark about the impact of this attack until this past week. The initial SEC filing was updated, noting the 14,000 customer accounts that had been stuffed and then was amended days later to include the 5.5 million people whose display names and relationship data were exposed as well as the 1.4 million users through “Family Tree” whose display name, relationship data, and birth years were exposed. 

23andMe  has made few comments on the attack beyond that the initial vector was from credential stuffing. When asked about the SEC filing they noted they had made these updates to provide more specific numbers for regulators and the public. On social media platforms 23andMe is receiving backlash from customers claiming their credentials were unique to the site and it was not possible they were stuffed. There is no way to prove accuracy of these claims, but the ambiguous and delayed nature of the disclosure seems to be frustrating some of their customer base. As we are seeing more and more incident disclosures the general public is becoming accustomed to detail and transparency. Security analysts, including Brett Callow, advocate for standardized disclosure and reporting laws, uniform language in disclosures, and regulation of negotiations to enhance cybersecurity transparency.

Weeks after the 23andMe breach, similar services, Ancestry and MyHeritage, also began promoting and mandating multi factor authentication on user accounts. This public disclosure seems to have acted as threat intelligence to these companies in the same vertical. While destructive attacks have many negatives, they do force numerous organizations to reassess their own posture and become more secure. 

Legal Fallout 

Unsurprisingly 23andMe is already facing class action lawsuits from this breach. Two Canadian law firms have started lawsuits against the company in the Supreme Court of British Columbia. Around the same time 23andMe changed their terms of service to prohibit customers from suing the firm or pursuing class action lawsuits against it. 23andMe is allowing for customers to explicitly disagree with the new terms in the next 30 days or else they will be accepted by silence and changed automatically. 

Some are claiming that 23andMe may be trying to shield itself from ongoing lawsuits and to lessen the legal fallout from this breach. 23andMe claims that these changes were not to avoid lawsuits but to speed up the resolution of ongoing legal disputes. The new terms would allow for customers to seek damages in small claims courts if they give the company notice before appointing an arbitrator to handle the case. Customers can still opt out of mandatory arbitration if they do not agree with the new terms. 

Legal experts have commented that this type of action will likely not hold up in most courts. These kinds of changes will only hold up if customers have a reasonable notice to opt in or out, but 23andMe may have a hard time proving this. We may see new legal precedent from this breach as legal action unfolds over the coming months.

As we enter the holiday season we should expect to see more and more destructive cyber attacks. Staples shows that even a major retailer that operates close to 1000 locations can have its key business processes critically impacted by a cyber attack. In the age of online shopping, it is apt that organizations create a secure and resilient digital environment to support their operations. 

While the details of this attack will continue to be revealed, its impact was made clear by the disruption of services on Cyber Monday and throughout the following days. 

In a time when cyber breaches seem inevitable for all organizations, business process resilience built through cybersecurity defense in depth strategies and business risk led cyber risk governance is going to differentiate organizations from winners and losers.
Clorox was the leader in their industry on the Forbes list for most secure companies, but they ended up with a major breach costing millions and billions of dollars  because it was not just a breach, it was an attack on critical business operations. Let this incident among many be a lesson to urge organizations to see beyond just cyber breach risk and  focus on operational resilience by layering defenses to protect their critical business processes.

What does this mean for customers?

Customers are continually suffering from the consequences of data breaches of numerous organizations. With each breach public outrage seems to grow and expand. In the wake of these breaches individuals can start to learn lessons to improve their own security hygiene. Here are some things the average person can take away from this breach:

• Reusing Passwords and MFA : Following the 23andMe data breach, the importance of robust password security has become paramount for customers. This incident serves as a stark reminder of the perils associated with password reuse and the negligence of Multi-Factor Authentication (MFA). The practice of using the same passwords across multiple platforms creates a vulnerability exploited by hackers, as evidenced in this case. Implementing MFA, an additional layer of security beyond the user’s password, significantly mitigates the risk of unauthorized access even in the event of a compromised password. Moreover, providing users with proper education regarding the risks associated with password-related attacks and the benefits of sound authentication practices serves as a valuable lesson in strengthening the overall cybersecurity.

• Legal Rights as a Customer: In the aftermath of the breach, customers find themselves facing potential legal implications. Class action lawsuits have been initiated against 23andMe, emphasizing the importance of understanding one’s legal rights as a customer. The alteration of terms of service, attempting to limit customers’ ability to sue or pursue class action lawsuits, adds a layer of complexity. Customers are advised to stay informed about their rights, carefully review updated terms, and consider their options, including opting out of mandatory arbitration if they disagree with the new terms.

• Personal Information as a Tool in Geopolitical Conflicts: The exposure of personal data, especially in the context of geopolitical conflicts, raises concerns about the potential misuse of such information. The selective targeting of specific user groups in the breach, such as individuals of Jewish Ashkenazi descent and Chinese users, suggests that personal information can be leveraged for various purposes. Customers are prompted to be aware of the broader implications of data breaches, emphasizing the need for heightened vigilance and consideration of how their personal information may be exploited in larger geopolitical contexts.

• Awareness of Information Disclosure and Your Digital Footprint: The 23andMe breach serves as a reminder of the impact of information disclosure and its lasting effects on an individual’s digital footprint. Customers should be conscious of the data they share online, particularly on platforms dealing with sensitive information like genetic data. Understanding the extent of information that can be exposed, like DNA-related information, reinforces the importance of digital awareness. Users should be aware of the extent of information disclosure on platforms that offer personalized services and are encouraged to regularly review and update privacy settings.  and stay informed about the evolving landscape of cybersecurity threats.

Conclusion

The 23andMe data breach underscores the critical need for robust cybersecurity measures and heightened user awareness. The incident, where personal data of millions was exposed, highlights the repercussions of password reuse and the imperative role of Multi-Factor Authentication (MFA) in mitigating such risks. The delayed and ambiguous disclosure by 23andMe has sparked public frustration, emphasizing the growing demand for transparency in such incidents.

Resources

• Lorenzo Franceschi-Bicchierai. 23andMe confirms hackers stole ancestry data on 6.9 million users – TechCrunch

• Zeba Siddiqui. 23andMe notifies customers of data breach into its ‘DNA Relatives’ feature – REUTERS

• Raphael Satter. Hackers advertise sale of 23andMe data on leaked data forum – REUTERS

• Genetic testing firm 23andMe admits hackers accessed DNA data of 7m users – The Guardian

• Lily Hay Newman. The 23andMe Data Breach Keeps Spiraling – WIRED

• Jacob Knutson. 23andMe changes terms of service amid legal fallout from data breach – AXIOS
  

‌Note: This blog post is based on information available as of Dec 7th, 2023, from various news sources. The situation might evolve, and readers are advised to stay updated through official channels.