In a startling revelation, 23andMe, the popular genetic testing company, has admitted to a severe lapse in cybersecurity, acknowledging that it failed to detect a series of cyberattacks targeting customer accounts for approximately five months. The breach exposed the ancestry and genetic data of 6.9 million users, triggering concerns about user privacy and data protection.
The Breach Timeline:
According to a data breach notification letter filed with regulators, the cyberattacks on 23andMe accounts commenced in April 2023 and persisted until September of the same year. During this extended period, hackers successfully infiltrated customer accounts through brute-force tactics, exploiting vulnerabilities that went undetected by 23andMe's security measures.
Discovery and Scale of the Breach:
It wasn't until October that 23andMe became aware of the breach. The company disclosed that hackers had stolen the ancestry and genetic data of 6.9 million users, representing about half of its customer base. The revelation came when hackers advertised the pilfered data on various online forums, including the unofficial 23andMe subreddit and a notorious hacking forum.
Method of Attack and Stolen Data:
The cybercriminals gained access to approximately 14,000 customer accounts by exploiting weak passwords that were already publicly available and associated with email addresses from prior breaches. Subsequently, the hackers utilized the DNA Relatives feature, compromising data on 6.9 million customers. Stolen information included names, birth years, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported locations.
Legal Fallout and Class Action Lawsuits:
Upon notifying affected customers, 23andMe faced immediate legal consequences. Multiple class-action lawsuits were filed against the company in the U.S. and Canada. Notably, 23andMe attempted to hinder collective legal actions by altering its terms of service, a move criticized as "cynical" and "self-serving" by data breach lawyers.
Blame Game: Users vs. 23andMe:
In response to the lawsuits, 23andMe shifted blame onto users, asserting that the incident resulted from customers negligently reusing passwords and failing to update them following previous security incidents. The company defended itself, claiming the breach was not a result of any failure to maintain reasonable security measures.
Conclusion:
The 23andMe cybersecurity breach serves as a stark reminder of the ongoing challenges companies face in safeguarding sensitive user data. As legal battles unfold and questions about data protection persist, this incident underscores the critical need for continuous improvement in cybersecurity measures to protect user privacy in an era where personal data is increasingly vulnerable to sophisticated cyber threats.
Bình luận