In December 2023, the genetic testing company 23andMe confirmed that hackers had breached the personal data of 14,000 users (.01% of their database) through credential stuffing. However, it later became evident that this figure only accounted for users with compromised data, not including those whose data was scraped. Consequently, the actual number of affected users was much higher, reaching about 6.9 million. The stolen data ranged from usernames and passwords to genomic data and geographic locations.
Following the breach, 23andMe claimed that the compromised data resulted from users recycling credentials previously compromised in other breaches. The company quickly responded by implementing several security measures. Users were required to reset their passwords and enroll in two-factor verification. The company also disabled certain features of its DNA Relatives tool, identified as the source of the breach.
Many questioned how much accountability the company should realistically bear. Should the responsibility lie with users, given that the breach stemmed from reused credentials? Or does it point to 23andMe’s potential lapse in security practices? Alternatively, some have argued that policymakers should set more stringent and clearly defined regulations to address situations like this one.
ITPro Today spoke with industry experts about what IT professionals can learn from the 23andMe data breach.
Security Measures and User Confidence
Despite 23andMe attributing the breach to users not resetting compromised passwords from prior incidents, the fact remains that 6.9 million users had personal data stolen. The stolen data was subsequently posted for sale on the black market, with hackers specifically targeting certain ethnicities.
The major loss of personal data highlights the need for enhanced security measures, according to Adam Strange, principal analyst of cyber security at research firm Omdia. “Organizations simply need to do more to raise cybersecurity and data security up the priority list," he said. Strange stressed that relying on cheap and easy security solutions is not an option, especially when it comes to securing business-critical data.
The aftermath has likely eroded trust in 23andMe for many users, presenting a formidable challenge for the company in rebuilding user confidence, which is fundamental to its overall business success, Strange said. “I’m not sure I’d like my data running around their servers until they can demonstrate that the data is 100% safe,” he added. “Demonstration of some form of data compartmentalization might be a good start.”
Are Stronger Regulations the Solution?
Given the highly personal nature of genetic data – and the potential for discrimination and exploitation if it falls into the wrong hands – there is an argument for establishing a set of security regulations tailored to its sensitivity.
Jason Soroko, senior vice president of product at security vendor Sectigo, supports this notion. “DNA data is something that instinctively seems even more important to protect,” Soroko said. “The question is whether this type of data should require a vendor to come under the same kind of security guidance and scrutiny of critical infrastructure or healthcare providers. … DNA data regulation should come up for public debate on whether government regulation is required to protect it further.”
23andMe, headquartered in South San Francisco, Calif., adheres to the California Consumer Privacy Act (CCPA). The CCPA instructs businesses on how to inform California-based consumers about their data privacy rights and how to exercise them. Additionally, 23andMe is subject to the California Privacy Rights Act (CPRA), which builds on CCPA.
CCPA outlines six specific rights for consumers:
- the right to know,
- the right to delete,
- the right to opt out,
- the right to opt in,
- the right to non-discriminatory treatment, and
- the right to initiate a private cause of action.
CPRA introduces two additional amendments: the right to correct personal information and the right to limit the disclosure of personal information.
The 23andMe data breach also raises concerns about the effectiveness of the Genetic Information Nondiscrimination Act (GINA), designed to protect Americans from genetic information-based discrimination by health insurance agencies.
With so much personal data exposed, much of which is protected under these regulations, it underscores questions about 23andMe’s responsibility for their consumers’ data. “Due to the one-off nature of the breach, no significant changes are expected to be implemented in terms of how [other organizations respond to breaches], but we shall see what the CCPA – including the CPRA amendment – regulators decide in terms of an outcome,” Strange said. “If they come down hard, then it might indeed instigate change [on a broader scale].”
Future regulations could ensure that users take security measures that can prevent breaches. Claude Mandy, chief evangelist at security provider Symmetry Systems, asserted that mandatory multifactor authentication (MFA) would be a step in the right direction. “[The 23andMe breach] highlights the challenge that even security-savvy organizations face in getting their customers to adopt phishing-resistant multifactor authentication,” Mandy said.
Mandy pointed to the challenge of getting customers to enable MFA, noting the potential friction and perceived risk of losing customers to competitors offering simpler alternatives. “Until MFA is seen as mandatory, this perceived risk will remain, making companies hesitant to adopt MFA until their competition does or regulation requires,” he said. “Given this background, regulations requiring all internet-accessible services to require MFA for customers would have huge security benefits across all industries.”
23andMe Data Breach Takeaways
The 23andMe breach provides a valuable learning opportunity for other organizations, regardless of whether 23andMe faces class-action lawsuits or comes up against regulatory changes prompting systemic improvements.
By recognizing that it’s a matter of when, not if, an organization will suffer a breach, now is a great time for companies to assess their data security practices. Doing so involves identifying the most vulnerable data they have, understanding how data is connected, and strengthening security measures.
In addition to proactively securing data, organizations must establish clear guidelines on how to communicate a breach to customers without losing their trust. Attempting to downplay the breach through PR tactics or shifting blame onto users is a counterproductive approach that risks losing user trust.