aevium’s Post

How concerned are you about your DNA data? Here's what happened: In a blog post published today, 23andMe admitted that it failed to detect a data breach that exposed the genetic data of 6.9 million customers. The breach occurred in April 2023, and the company did not discover it until September 2023. Hackers were able to access customer accounts by brute-forcing passwords. Once they had access, they were able to download genetic data, including DNA sequences and health information. 23andMe is blaming the breach on customers who used reused passwords. The company says that it has now implemented additional security measures to prevent future breaches. How can a company providing such a service have such a basic cybersecurity issue? #23andMeBreach #DataSecurity #GeneticData #Privacy #PasswordSecurity #Cybersecurity #ProtectYourDNA #HackersHaveFamilyTreesToo #DataBreachesAreNoJoke #BeCyberSavvy https://lnkd.in/dWjk3TTN

Interesting approach... If you've been following the news in the cyber world, 23andMe was the victim of a credential stuffing attack. In response, they've issued a letter to some of their customers blaming them for the attack. I'm intrigued to see how this will play out. While obviously this is WHY we DO NOT re-use passwords across multiple platforms, a functionality in 23andMe's website, specifically a DNA Relatives feature, caused the attackers to pivot into stealing additional information from customers who were otherwise secure. What are your thoughts on this? Is this the fault of the customer? Or should 23andMe be taking ownership of this attack? Where does the line between customer responsibility and corporate responsibility lie? #cybersecurity #security https://lnkd.in/gRPz9xGg

I was thinking about this topic earlier! corporations, small business and citizens alike need to see the forest for the trees and understand that malicious entities don't wait and we can't afford to be complacent and hope our cyber insurance saves us. I saw this article earlier reporting that China has had access to U.S infrastructure for at least 5 years for a cyber attack in the event of a war. The time is now and the cost is priceless. link to article below: https://lnkd.in/gVhiPYwk

On December 5 in their blog, 23andMe says, "In addition, 23andMe now requires all new and existing customers to login using two-step verification. Protecting our customers’ data privacy and security remains a top priority for 23andMe, and we will continue to invest in protecting our systems and data." This seems to state that 23andMe believes the implementation of MFA for all accounts is necessary for data privacy and security, which are both noted as "top priority". However, on December 11, just 6 days later, their lawyers say, "23andMe believes that unauthorized actors managed to access certain user accounts in certain instances where users recycled their own login credentials—that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe. Therefore, the incident was not result of23andMe’s alleged failure to maintain reasonable security measures under the CPRA.". One more blog article from 2020 shows 23andMe boasting about their ISO 27001, 27701, and 27018 certifications. Regarding 27001, they further say, "23andMe’s first certification, which we first received in 2019, is ISO 27001. We started with that certification because it is one of the most widely recognized and internationally accepted information security standards. It identifies requirements and specifications for a comprehensive Information Security Management System (ISMS). This defines how an organization should manage and treat information more securely, including applicable security controls." While ISO 27001, 27701, and 27018 do not specifically REQUIRE the implementation of MFA, they provide a risk framework for protecting information and in 2020, well before this incident, MFA was an industry best practice and would have been recommended frequently through the assessments to attain these certifications. Bottom Line, 23andMe willingly ignored MFA and accepted the risk of this type of compromise happening on their platform.

In October 2023, 23andMe reported that attackers had infiltrated users' accounts and scraped personal data from a total of 6.9 million people. In a legal turn earlier this year, the company began to deflect blame back to its users for enabling the hackers' access. A standard Zero Trust model works to prevent this, and many companies and cybersecurity experts know that it's the standard with user data. To read more about this shift in the narrative, read the Techopedia article linked below. Do you think 23andMe is unjustified in blaming users for their breach? Tell us about it below⤵️ #cybercrimeawareness #cybersecurity #databreach

📝 Update: AT&T Confirms Data for 73 Million Customers Leaked on Hacker Forum https://lnkd.in/dp9NAf2W #DataBreach #ATTHack #PrivacyAlert #CyberSecurity #DataPrivacy #ATTDatabreach #HackerForum #CustomerDataLeak #SecurityBreached #ProtectYourData

In light of the recent disclosure by 23andMe regarding a months-long undetected cyberattack that compromised millions of users' genetic data, how do you think companies should enhance their cybersecurity measures to prevent such breaches? What steps should be taken to ensure quicker detection and more transparent communication with affected users? https://lnkd.in/gF7pwrNx #breachprevention #23andme #cybersecurityawareness

23andMe tells victims it’s their fault that their data was breached “Users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe. Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures” By hacking into only 14,000 customers’ accounts, the hackers subsequently scraped personal data of another 6.9 million customers whose accounts were not directly hacked #23andMe #CrisisManagement #Crisis #management #business #security #cybersecurity #infosec #hackers #hacking #hacked

What not to do during a data breach: Blame your customers. 😨 The genetic and ancestry company 23andMe is in the hot seat after suffering a catastrophic data breach last year in December. Through credential stuffing, hackers gained access to millions of users' genetic information. Now, they're facing over 30 lawsuits, and their response was to blame users for not updating their passwords. Anyone in cybersecurity knows that this is a cop-out. Businesses are responsible for the security of their customer's data, not the other way around! If you're worried about reputation-ruining data breaches like this, connect with me or click the link below for Proofpoint Cybersecurity. https://lnkd.in/ggFMdPqx #DataSecurity #Cybersecurity #Data #Proofpoint #DataBreach