23andMe Sparks A Rethink About Safeguarding Critical Data

Uploaded on 2024-02-20 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Recently 23andMe, the popular DNA testing service, made a startling admission: hackers had gained unauthorised access to the personal data of 6.9 million users, specifically their ‘DNA Relatives’ data. 

This kind of high-profile breach made headlines globally, and naturally highlights the need for stringent security measures when handling organisational data - especially the type of sensitive genetic information that 23andMe is responsible for.

Further, although the hacker appears to have to use a tactic known as credential stuffing to access 23andMe’s customer accounts, it does pose wider questions to organisations, IT managers and security experts about the security measures that are used more generally to keep organisational and consumer data safe from threat actors?

A key question for many organisations today is that of where and how they host their data -  especially when you consider 23andMe’s data has reportedly been stored solely on cloud servers. One way that organisations can mitigate similar risks is by implementing on-premises and hybrid cloud solutions.  

Achieving Direct Control Of Data

In 23andMe’s case, its compromised ‘DNA Relatives’ data holds immense value and is extremely sensitive. This is because it enables individuals to connect with potential relatives based on shared genetic information.  However, this kind of valuable data often becomes a target for cybercriminals, who are seeking to exploit it for various purposes: including identity theft, fraud, and other nefarious activities. Therefore, to protect this type of information, organisations need to implement robust security measures that ensure the confidentiality, integrity, and availability of the data. 
 
On-premises solutions enables part of this protection to take place effectively and involves hosting data and applications within an organisation's own physical infrastructure. This approach gives organisations direct control over their data and allows them to implement rigorous security protocols. For instance, by keeping genetic data on-site, an organisation like 23andMe is able to secure it behind multiple layers of firewalls and intrusion detection systems, reducing the risk of external breaches. Additionally, access to this data can be restricted to authorised personnel only, minimising the potential for internal data leaks. 

Another school of thought that is worth considering, for many organisations, is to use hybrid cloud solutions. This approach combines the advantages of on-premises and cloud-based services. Organisations can use public or private clouds appropriately to store non-sensitive data while keeping sensitive information - like genetic information in 23andMe’s case - on-premises. This method provides organisations the flexibility to scale resources and accommodate fluctuating user demand, while still maintaining strict data control.

When set up and configured correctly - using encrypted connections and robust authentication mechanisms - hybrid cloud solutions ensure that secure data transmission between the on-premises and cloud environments takes place.  

Steps Towards Preventing Data Breaches

While implementing on-premises and hybrid cloud solutions can significantly reduce the risk of data breaches and unauthorised access to data, there are several other crucial steps and techniques that organisations can take and make use of to secure and protect data from breaches. 

Obvious as it may seem to many in the industry, today it is vital to encrypt data during the storage and transmission thereof. This renders compromised data meaningless to unauthorised users, even if threat actors manage to gain access to it. Implementing multi-factor authentication is vital too. It strengthens access controls and adds an extra layer of security. Users trying to access data should, effectively, be required to provide multiple forms of verification, such as passwords, biometrics, or smart cards to access their data genetic data. In 23andMe’s case, while they do offer this approach to their users, perhaps the use thereof should be made to be mandatory given their recent breach?

Aside from this, it is recommended that organisations conduct frequent security audits to identify vulnerabilities and ensure compliance with industry standards and best practices. This involves testing the effectiveness of security protocols and promptly addressing any discrepancies.

Finally, no robust security framework is complete without equipping employees with proper training and awareness about their responsibilities towards securing data and protecting it. Regular security awareness programmes help staff understand their roles and responsibilities in protecting data. 

Even though 23andMe claims that it exceeds industry data protection standards and has achieved three different ISO certifications to demonstrate the strength of its security program, and that it actively routinely monitors and audits its systems, an incident like this, along with the PR and media attention that it has gained, will undoubtedly have caused its team to evaluate all of its security parameters including the further training of its team in order to ensure this doesn’t occur in future.  

Conclusion

23andMe's recent data breach serves as a wake-up call for organisations handling data, especially sensitive genetic information provided by consumers. This kind of incident will have naturally caused it to reconsider its security policies and approach towards securing organisational and customer data.

Today, as other organisations consider their approach towards security and protecting data, many will review where and how their data is stored, managed and accessed. 

This is especially true of banks, telcos, insurance companies and many other kinds of firms. On-premises and hybrid cloud solutions provide powerful and effective options here too. They enable organisations to fortify their security measures and protect against potential data breaches. 

The combination of direct control over data provided, along with tools and tactics like encryption, multi-factor authentication, security audits, and employee training creates a comprehensive defence against unauthorised access of organisational data.

All of which the likes of 23andMe, along with many other organisations, will be considering and prioritising as they strive to adopt more robust security measures that ensure the privacy and integrity of organisational, and consumer, data.

Mark Grindey is CEO of Zeus Cloud

Image: Growtika

You Might Also Read: 

Cybersecurity In Managed Cloud: Best Practices For Keeping Your Data Safe:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Businesses Must Prioritise Safeguards Against Common Threats
Lockbit's Website Taken Down By Law Enforcement »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clifford Chance

Clifford Chance

Clifford Chance are one of the world's pre-eminent law firms with resources across five continents. Practice areas include Cyber Security & Information Protection

Palo Alto Networks

Palo Alto Networks

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate.

CERT-FR

CERT-FR

CERT-FR is the French national government computer security incident response team.

Dispersive Networks

Dispersive Networks

Dispersive Virtual Network is a carrier-grade software-defined programmable network that is inspired by battlefield-proven wireless radio techniques.

Intrasoft International

Intrasoft International

Intrasoft International is a leading European IT Solutions and Services Group offering a full range of IT services including Information Security.

Redjack

Redjack

Redjack is a cutting-edge network analytics company focused on enterprise and ISP security and intelligence solutions.

SafenSoft (SnS)

SafenSoft (SnS)

SafenSoft delivers high-efficiency, low-impact proactive protection against malware, insider threats, and confidential data leakage.

iONLINE

iONLINE

iONLINE delivers high quality IT services and solutions to businesses in Azerbaijan.

Assystem

Assystem

Assystem delivers a comprehensive security approach for the industrial and service sectors that integrates physical security systems, industrial cyber-security, functional safety and dependability.

White & Black

White & Black

White & Black are specialist corporate & technology lawyers based in London & Oxford.

IT Band Systems

IT Band Systems

IT Band Systems is an international provider of IT products and services including web server monitoring and web security consulting.

Immuta

Immuta

Immuta empowers data engineering and operations teams to automate data governance, security, access control & privacy protection.

Cybersecurity Maturity Model Certification Center of Excellence (CMMC COE)

Cybersecurity Maturity Model Certification Center of Excellence (CMMC COE)

CMMC COE is an IT-AAC sponsored public–private partnership that will be the focal point for entities seeking to achieve Cybersecurity Maturity Model Certification.

LGMS - LE Global Services

LGMS - LE Global Services

LGMS is a leading cyber security penetration testing and assessment firm in the Asia Pacific region.

Arsen Cybersecurity

Arsen Cybersecurity

Arsen is a French cybersecurity startup, dedicated to enhancing human behaviors in cybersecurity.

Diversified Technical Services Inc. (DTSI)

Diversified Technical Services Inc. (DTSI)

DTSI provides a wide range of technology solutions for Federal Agencies, the Department of Defense, and commerical organizations with capabilities including Cyber Security and DevSecOps.