DNA testing firm 23andMe has argued the victims are responsible for the breach of highly sensitive genomics data on its systems last year.
In a written reply to Tycko & Zavareei LLP, a law firm representing victims of the breach in a class action lawsuit filed in the courts in November 2023, 23andMe accused users whose accounts were accessed of “negligently” recycling and failing to update their passwords.
The DNA testing firm argued this allowed the attackers to launch a credential stuffing campaign using usernames and passwords accessed in separate breaches.
23andMe Argues its Case
“23andMe believes that unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials – that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” the company stated in the letter dated December 11, 2023, that was sent to TechCrunch.
“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA [California Privacy Rights Act],” 23andMe added.
In the incident, which took place in October 2023, nearly 7 million customers’ information was accessed, including a significant number of files containing information about some users’ genealogy, such as ethnicity and ancestry.
The hackers initially accessed around 14,000 user accounts via the credential stuffing campaign.
They then used this information to access the personal data of 6.9 million users who had opted into 23andMe’s DNA Relatives feature, in which customers automatically share some of their data with people who are considered their relatives on the platform.
23andMe claimed in the letter that there was also no case as the victims had elected to share their information with other users by opting into the DNA Relatives feature.
Additionally, the company said that the information the attacker potentially accessed couldn’t be used to cause “pecuniary harm” as it didn’t include their social security number, driver’s license number or any payment details.
23andMe’s Stance Criticized
In the lawsuit filing, Bacus v 23andMe, Inc., the plaintiff alleges the DNA testing firm did not take reasonable measures to secure user accounts, which resulted in the breach.
Since the incident, 23andMe confirmed it has added new security measures to protect user accounts. This includes ending all active logged-in user accounts, requiring a password reset on all user accounts and requiring all customers to use two factor authentication.
Industry experts quickly criticized 23andMe’s assertion that the victims were to blame for the breach.
Erfan Shadabi, Cybersecurity Expert at comforte AG, commented that while users do have an obligation to follow best practices in areas like password management, companies also have a duty to protect the sensitive information that has been entrusted to them, such as enforcing 2FA policies.
“Attributing the entirety of blame to users is a flawed argument that oversimplifies the complex landscape of cybersecurity,” he stated.
Nick Rago, Field CTO at Salt Security, said that 23andMe’s argument that the breach cannot cause financial harm because it did not include information like credit card details is completely outdated.
He noted that exposing any genealogy or relationship information would be highly useful to an attacker in developing a targeted social engineering campaign to scam a consumer, steal an identity or gain privileged system access in a corporate infrastructure.
Examples of recent breaches that were rooted with a successful targeted social engineering campaign include those that affected JumpCloud, MGM and Caesars.
“These types of attacks do not take much information about the targeted individual to be effective, especially with the rise of AI technologies that are helping threat actors craft material used in their efforts,” explained Rago.