23andMe Blames The Victims

Uploaded on 2024-01-05 in NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Hackers

The genomics company, 23andMe, is facing over 30 law suits from victims of its massive data hack and is now telling the victims that it was their problem.  News of the breach first became known last October, when customer data was posted for sale on the Dark Web

It turn out that 23andMe is currently being sued by a numerous individual victims of the attack since the  user accounts of almost 7 million users were compromised by cyber criminals in a major breach .  

In December 2023, 23andMe had said that hackers had stolen genetic and ancestry data from 6.9m users, nearly 50% of its customers.  To date, 23andMe has been unable to identify brute force and credential stuffing access of 14,000 accounts.

The data breach started with hackers accessing about 14,000 user accounts by hitting accounts with customer passwords a technique known as credential stuffing. From these initial victims, hackers were able to then access the personal data of the other 6.9 million victims because they had opted-in to 23andMe’s DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform.

By hacking into only 14,000 customers’ accounts, the hackers subsequently scraped personal data of another 6.9 million customers whose accounts were not directly hacked.

In a letter sent to a group of 23andMe users who are now suing the company, the company said that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe... Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.

Lawyers defending the victims who received the letter from 23andMe, reportedly claim that the company has chosen to downplay the gravity of these events while abandoning its consumers rather than taking responsibility for its part in this data security incident. “This finger pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing, especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform,” commented Hassan Zavareei, one of the attorneys involved 

According to reports, at least one 23andMe customers is unhappy that the company is "attempting to hide from consequences instead of helping its customers.”

23andMe’s lawyers argued that the stolen data cannot be used to inflict monetary damage against the victims and that after disclosing the breach, all customer passwords were reset and all users and instructed  to use multi-factor authentication, something that was only optional before the breach.

23andMe:     YCombinator:      TechTimes:     Gizmodo:   Techcrunch:    The Verge:    Law.com:

Hassan Zavareei:      Skeptic Society:       Image:  DeepMind

You Might Also Read: 

Cybersecurity Risk Management In The Real World:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« EU Updates Its Cyber Solidarity Act
Winning The Battle Against Ransomware »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Logicalis

Logicalis

Logicalis are a leading provider of global IT solutions and managed services.

Cloud Security Alliance (CSA)

Cloud Security Alliance (CSA)

The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing

Ionic Security

Ionic Security

Ionic provide a high-assurance data protection and control platform built on strong encryption, fine-grain control and contextual analytics.

Lynx Software Technologies

Lynx Software Technologies

Lynx provide secure software and operating systems for use in mission critical applications such as aerospace, medical, transportation and IoT.

ERMProtect

ERMProtect

ERMProtect is a leading Information Security & Training Company that helps businesses improve their cybersecurity posture and comply with regulations.

National Cyber Security Authority (NCA) - Saudi Arabia

National Cyber Security Authority (NCA) - Saudi Arabia

The NCA is the government entity in charge of cybersecurity in Saudi Arabia and serves as the national authority on its affairs.

RHEA Group

RHEA Group

RHEA Group offers aerospace and security engineering services and solutions, system development, and technologies including cyber security.

Open Cloud Factory

Open Cloud Factory

Open Cloud Factory is a European based security company, that strives to ease the pressure on IT managers, by providing tools to implement your Security Strategy in an effective and easy manner.

Aries Security

Aries Security

Aries Security provides a premiere cyber training range and skills assessment suite and develops content for all levels of ability.

Kintent

Kintent

With Kintent, compliance becomes a habit, is simple to understand and achieve, and is continuously testable so that your customers can see that you are adhering to all your trust obligations.

Drata

Drata

Drata is a security and compliance automation platform that continuously monitors and collects evidence of a company's security controls, while streamlining workflows to ensure audit-readiness.

Anxinsec

Anxinsec

Anxinsec Technology is a security solution and service provider with a focus on new technology and innovations in cybersecurity.

LastPass

LastPass

LastPass provides award-winning password and identity management solutions that are convenient, effortless, and easy to manage.

Information Systems Security Association (ISSA)

Information Systems Security Association (ISSA)

ISSA is the community of choice for international cybersecurity professionals dedicated to advancing individual growth, managing technology risk and protecting critical information and infrastructure.

InterSec Inc.

InterSec Inc.

InterSec Inc. is a cybersecurity company that offers a variety of services to small and medium-sized businesses including CMMC Compliance, Program Management, Governance, & Cybersecurity.

ExtraHop

ExtraHop

ExtraHop's dynamic cyber defense platform uses cloud-scale AI to help enterprises detect and respond to advanced threats - before they compromise your business.