Companies like 23andMe have revolutionized accessibility to genetic information, promising personalized insights into health. However, with innovation comes notoriety and vulnerability, as highlighted by the recent data breach at 23andMe.
This breach, affecting millions of users, serves as a stark reminder of the urgent need for robust cybersecurity measures and strong password management.
In October 2023, 23andMe disclosed a data breach that affected approximately 7 million customers. Though the hacker initially targeted a relatively small number of accounts (~14,000), 23andMe's interconnected data-sharing system allowed access to a broader user base. The compromised data contained users' ancestry information and, for some, health-related details, raising significant concerns about the potential misuse of personal genetic data.
Despite the presence of encryption protocols and access controls, 23andMe's security systems were penetrated. The data breach resulted specifically from a credential stuffing attack, a method where cybercriminals use automated tools to try stolen username-password pairs from other breaches on different platforms. This type of attack often exploits sites that lack two-factor authentication (2FA).
Brute force attacks like credential stuffing present significant challenges due to their discreet nature and utilization of dynamic IP addresses. The 23andMe credential stuffing attack likely succeeded due to deficiencies in multi-factor authentication (MFA) and threat detection technology. Most of all, the attack exploited human error by pulling compromised passwords used elsewhere on the web.
Following the breach, several class action lawsuits were filed against 23andMe alleging negligence and privacy law violations.
23andMe's response to the data breach has become a hotly debated topic, with some people suggesting that the company did not take enough responsibility and instead focused blame on affected users and their previously compromised user credentials. If this defense is accepted in legal proceedings, it could potentially transfer the responsibility for cybersecurity controls from the corporation to the customers. With this, it's crucial to recognize that many users may not be well-versed in proper password management practices, which further complicates the matter.
23andMe, however, had opportunities to improve security measures and reduce risks. These legal actions could also prompt changes in 23andMe's data security practices and policies. For instance, there may be calls for enhanced protections for user data and measures to prevent similar incidents in the future.
Another potential outcome could involve the introduction of new data protection regulations mandating multi-factor authentication (MFA) for all companies within the genetic testing industry, similar to requirements in the financial sector. Such initiatives would supplement existing data protection regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), which are designed to address user privacy concerns and safeguard DNA data privacy.
Cyber insurance plays a pivotal role in mitigating financial losses for organizations in the event of a breach. By providing coverage for various expenses, including breach response and legal fees, cyber insurance helps minimize the financial fallout from cyber incidents.
Common coverage options include first-party coverage for direct losses incurred by the insured organization and third-party coverage for liability and legal expenses arising from claims by third parties. In the case of 23andMe’s data breach, this type of insurance would help offset the costs associated with breach response, including forensic investigations, notification of affected individuals, and credit monitoring services. Third-party coverage, on the other hand, would help pay for their defense in the class action lawsuits filed against the company
Directors and Officers (D&O) insurance is another type of coverage specifically for executives. This form of liability coverage protects against claims of mismanagement, negligence, errors, or omissions in their corporate roles. D&O insurance typically covers legal expenses, judgments, settlements, and other costs incurred in defending against lawsuits brought about by shareholders, employees, regulatory bodies, or other stakeholders. Companies like 23&Me may find D&O insurance particularly valuable for mitigating risks and protecting its leadership team from personal liability.
It's important to note that cyber insurance policies may have exclusions and limitations, such as coverage caps, waiting periods, and specific exclusions for certain types of cyber incidents. Therefore, it is essential to assess needs and risks upfront before moving forward with a plan.
In the wake of the 23andMe breach, prioritizing robust password management practices has never been more crucial. Cybersecurity experts advocate the following best practices for users:
The 23andMe data breach underscores the need to prioritize and invest in cybersecurity solutions, including cyber insurance. By addressing security control gaps, comprehending legal and regulatory implications, and promoting individual password management, organizations can mitigate the risk of future breaches.
Find Allen Blount on LinkedIn.
Connect with the Risk Strategies Cyber Risk team at cyber@risk-strategies.com.