In a startling revelation, 23andMe has come forward with the news of a significant data breach, one that went undetected for several months. This disclosure, part of a mandatory data breach notification to California’s attorney general, has sent ripples across the tech and health sectors, highlighting the vulnerability of even the most personal data: our genetic information.
The breach saga began in April 2023, when attackers began infiltrating customer accounts at 23andMe. This series of unauthorized accesses continued unchecked until September, indicating a concerning gap in the company’s cybersecurity measures. During this period, the perpetrators were not just attempting but often succeeding in brute-forcing their way into customer accounts. The lack of detection by 23andMe over these five months has raised serious questions about the company’s vigilance in safeguarding user data.
The severity of the situation came to light when 23andMe, in October, became aware of the breach. This realization was not due to internal security protocols but because the hackers brazenly advertised the stolen data online, including on an unofficial 23andMe subreddit and a known hacking forum. Astonishingly, this wasn’t the first instance of such advertising; the stolen data had been flaunted on another hacking forum as early as August.
The impact of this breach is far-reaching. Hackers accessed the accounts of approximately 14,000 customers by exploiting passwords exposed in other data breaches and linked to email addresses. Once inside these accounts, they could pilfer the genetic and ancestral data of a staggering 6.9 million users. This data included names, birth years, relationship labels, DNA shared percentages, ancestry reports, and self-reported locations, all shared via the DNA Relatives feature, which allows users to connect with potential relatives on the platform.
In response to inquiries about this prolonged undetected breach, 23andMe spokespeople were initially unresponsive. This silence, combined with the gravity of the breach, has led to a flurry of class action lawsuits in the United States and Canada. The legal battles are intensifying, especially after 23andMe’s attempt to modify its terms of service, seemingly to make collective legal action more challenging. These changes have been met with criticism from data breach attorneys, who describe the move as a self-serving tactic to shield the company from the fallout of its own security shortcomings.
In an unexpected turn, 23andMe shifted some of the blame onto its users in a letter addressing the breach. The company argued that the incident stemmed from customers reusing passwords, a practice that compromised their account security. This stance has sparked a debate about the responsibility of users versus companies in ensuring digital security, especially in an age where personal data is increasingly valuable and vulnerable.
The 23andMe data breach serves as a stark reminder of the importance of robust cybersecurity measures and the potential consequences when these measures fail. It also underscores the shared responsibility between companies and users in safeguarding personal information, particularly when it comes to sensitive genetic data.
As the legal battles unfold and 23andMe grapples with the fallout, this incident will likely serve as a catalyst for broader discussions about data security in the genetic testing industry. It’s a wake-up call to all organizations handling sensitive user data: vigilance and proactive security measures are non-negotiable in our increasingly interconnected digital world.