23andMe Blames Victims for Information Hack
DNA and ancestry site 23andMe has told victims of a major hack that it's their fault for not using unique passwords. The claim came in a letter aimed deterring victims from proceeding with a class action case.
The site admitted last month that almost 7 million customers have been affected by a data breach. Hackers directly accessed personal data including DNA information of about 14,000 people. However, they were able to get some personal data of another 6.9 million people who would of enabled a feature to share information with potential relatives.
Unsurprisingly, this led to legal action from customers who felt 23andMe had failed to adequately secure their data.
'Customers Responsible' For Reused Password
The company has now written to one of the lawyers representing plaintiffs in one of the cases. In a stark response, one of its reasons for rejecting the case is that it claims that "No Breach Occurred." That's because it believes the initial access by unauthorized actors was in cases "... where users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches ... and failed to update their passwords following these past security incidents, which are unrelated to 23andMe." (Source: techcrunch.com)
Password Insufficient
The lawyer says that's an inadequate response because the site should have taken additional steps to protect accounts other than relying solely on passwords, particularly given the sensitive nature of information provided by customers. (Source: arstechnica.com)
This could include using two factor authentication if customers (or hackers) were attempting to log in from somewhere other than their usual location. It could also mean blocking automated credential stuffing, where hackers use a list of stolen details from one site to attempt to login to accounts on other sites. It should be possible to block or limit a hacker's attempts to try thousands of different login attempts in succession.
The password point is also not relevant to the people whose accounts were not directly breached but whose personal data was exposed indirectly. Any legal case on that point would likely center on what damage that exposure did (or could) cause, and whether customers were fully informed of potential risk before signing up to the sharing feature.
What's Your Opinion?
Does 23andMe have a point? Is a single password enough to reliably secure an account or should sites take extra measures? Should sites which handle sensitive data such as DNA be held to higher security standards?
