Who Is Legally Responsible For Your Cybersecurity?

As a cybersecurity professional and expert witness, I like to keep an eye on legal cases that set precedents. Case law allows the public to see the facts of any given case, and more importantly, the judge’s decisions. These decisions create a body of law that can set a precedent for judges in making future decisions on similar issues.

The principle of 'stare decisis', meaning 'to stand by things decided' is central to case law, ensuring legal consistency and predictability. Unfortunately, in the UK, and similarly the US, the vast majority of cases are settled out-of-court and very often bind both parties from disclosing any settlements, concessions or decisions based on the facts.

There is potentially an interesting case law in the offing in the US. 23andMe is a company that provides genetic testing for health and ancestry information. In October 2023, a hacker claimed to have breached 23andMe and sold access on the darkweb for between $1 to $10 per profile. In December 2023, 23andMe admitted that approximately 14,000 people had their accounts directly accessed and that data from a further 1.4 million to 6.9 million customers, depending on reports, had been accessed as a result of preferences that they had set, allowing “potential genetic relatives” to identify them.

As a result of the breach, a number of legal cases have sprung up against 23andMe. As part of their defence, 23andMe have stated that the unauthorized access to user accounts had been a result of a “credential stuffing” attack.

A credential stuffing attack is where attackers use automated scripts to try a large volume of usernames and password combinations against a website or multiple websites. These combinations are often obtained from previous data breaches. The aim is to gain unauthorized access to accounts, exploiting the fact that people often reuse passwords across multiple sites.

As such, 23andMe are essentially saying that it is not their fault that the approximately 14,000 accounts were compromised, because users were re-using passwords that had been breached previously, and that users had failed to update passwords or apply additional, multi-factor verification methods. As for the remaining nearly 7 million individuals, they opted to share their information within the platform.

Credential stuffing could potentially be detected, I’m making no assumptions as to the sophistication of the attacker’s methods or the detection mechanisms within 23andMe’s infrastructure. Such an attack would typically present as tens or hundreds or thousands of unsuccessful login attempts from one or multiple IP addresses. Intermixed with that would be the successful logins for genuine users of the site. This though only accounts for the 14,000 directly compromised accounts. The remaining 6.9 million impacted users opted to share their data on the platform.

There’s going to be many arguments on both sides regarding this case. Ultimately, I suspect that this will come down to a decision regarding duty of care, and who that duty of care lies with. On the one hand, detecting credential stuffing attacks and blocking based on IP addresses, is feasible. On the other hand, threat actors often hide behind VPN’s or infrastructures used to co-host legitimate services. As such, blocking access from these may impact legitimate users and functionality.

Notifying users of logins from new devices or locations is also perfectly feasible. Though users had not opted to enable multi-factor authentication (MFA) as a mechanism to detect mitigate against this type of attack themselves.

One point that does stand out to me is that these accounts had access to 6.9 million people’s data.  This seems like a staggeringly high blast radius, though does also make me question how much of the data would have been accessible to the attacker if, instead of using compromised accounts to gain access, they had signed up legitimately to the platform? And from this, were users provided with sufficient information to provide informed consent? And what boundaries, if any, come with that consent?

While this data loss and its impact has been a result of obvious malicious intent, with the threat actor selling individual records for between $1 and $10 USD on the darkweb; in 2020 the private equity firm “Blackstone” bought the DNA testing company Ancestry for $4.7 billion USD and in 2019 users of Family Tree DNA, a similar platform/service provider, found that their genetic sample, data, and by extension that of their relatives, was being used by the FBI. How are users therefore supposed to analyze, understand, accept, and control the risk of who has access to their data?

The broader point that I would like to see judgement on is where the balance point is between users having to take responsibility for their own password management, data, and cybersecurity and companies securing, monitoring, and responding to detections on their systems.

Ultimately, while I don’t expect these cases to answer all of the questions, or necessarily lay precedent for future actions, there has to come a point where users and providers work together to create a clear understanding of risk, consent, and responsibility.

Mark Cunningham-Dickie is a Senior Incident Responder for Quorum Cyber

Image: Ideogram 

You Might Also Read: 

Cyber Security Governance Is A Leadership Responsibility:

DIRECTORY OF SUPPLIERS - Governance, Risk & Compliance:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Iranian Hackers Targeted Israel’s Radar Systems
Problems With Underperforming Cyber Security Service Providers  »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CloudDNA

CloudDNA

CloudDNA deliver solutions that enable users and devices to connect over high performance, secure, efficient, scalable cloud networks.

Techmeme

Techmeme

Techmeme is an online news curation service focused on leading edge technology, including cyber security.

Hogan Lovells

Hogan Lovells

Hogan Lovells is an international business law firm with offices across Europe, Asia and the USA. Practice areas include Privacy & Cybersecurity.

NATO Communications and Information Agency (NCIA)

NATO Communications and Information Agency (NCIA)

The NCIA Cyber Security Service Line is responsible for planning and executing all life cycle management activities for cyber security.

MD5

MD5

MD5 is a leading UK provider of Digital Forensic & eDiscovery services to large multi-national corporate businesses, Law Enforcement & Government Agencies, high profile legal firms.

Coro Cybersecurity

Coro Cybersecurity

Coro (formerly Coronet) empowers organizations to protect against malware, ransomware, phishing, and botnets - across devices, users, and cloud applications.

Veriato

Veriato

Veriato develops intelligent solutions that provide companies with visibility into the human behaviors and activities occurring within their network, making them more secure and productive.

Information Technology Industry Development Agency (ITIDA)

Information Technology Industry Development Agency (ITIDA)

ITIDA has two broad goals: building the capacities of Egypt’s local information and communications technology (ICT) industry and attracting foreign direct investments to boost the ICT sector.

ISARR

ISARR

The ISARR software platform - your bespoke Risk, Resilience & Security Management solution. Simple, cost effective and adaptable, now and into the future.

Enso Security

Enso Security

Enso is the first Application Security Posture Management (ASPM) solution, helping security teams everywhere eliminate their AppSec chaos with application discovery, classification and management.

MicroSec

MicroSec

MicroSec is a company specializing in IoT security. We focus on bringing enterprise grade security to IoT and embedded systems.

Tide Foundation

Tide Foundation

Tide's breakthrough multi-party-cryptography enables TRUE-zero-trust technology that unlocks cyber-herd immunity.

Vizius Group

Vizius Group

The Vizius Group are a think tank of cybersecurity consultants who understand the mechanics and business value of risk reduction.

NormCyber

NormCyber

NormCyber provide award-winning cyber security and data protection as a service for midsize organisations.

Strategic Technology Solutions (STS)

Strategic Technology Solutions (STS)

Strategic Technology Solutions specialize in providing Cybersecurity and Managed IT Services to the legal industry.

SecondSight

SecondSight

SecondSight’s Vertical AI embodies a full-spectrum approach to cyber insurance, facilitating accurate digital risk profiling.