UK and Canada's data chiefs join forces to investigate 23andMe mega-breach
- Reference: 1718112610
- News link: https://www.theregister.co.uk/2024/06/11/uk_and_canada_23andme_probe/
- Source link:
The two-dog wolfpack of the Information Commissioner's Office (ICO) and Office of the Privacy Commissioner of Canada (OPC) will look at whether the biotech biz's breach caused any customer harm, whether the appropriate safeguards were in place to prevent the incident, and if they were adequately candid with regulators at the time.
John Edwards, UK Information Commissioner, said: "People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place.
[1]
"This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected."
[2]
[3]
Edwards' counterpart Philippe Dufresne, the Privacy Commissioner of Canada, echoed those words: "In the wrong hands, an individual's genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world."
The [4]breach at the genetics and long-lost-family-finder was one of the year's more shocking incidents, with the number of affected individuals rising to nearly 7 million after months of investigations.
[5]
It also came to light that the company [6]failed to detect the attackers' activity for five months , only becoming aware of a breach after seeing a Reddit post about the data being stolen, rather than its own internal cyber sleuths picking up on the intrusion.
The cybercriminal using the alias "Golem" posted the data to [7]BreachForums , seemingly targeting Ashkenazi Jewish customers of 23andMe.
Golem also went on to make a string of anti-semitic statements and allegations against European politicians, as well as various comments referencing Zionism.
[8]
Whoever was behind the attack only actually broke into 14,000 accounts, however, the wide-scale opting-in to the platform's DNA Relatives feature – which allows users to browse others with whom they may be related – meant millions of users' data was ultimately accessed.
The many different possible configurations of 23andMe's granular account privacy controls meant that the crims were able to access varying degrees of data on affected users. From the basic profile information you'd expect to be included in a breach, to family trees and what chromosomes match to which relative, there was the potential for some highly sensitive information to be stolen.
23andMe also took the curious step of blaming their own customers' poor security habits for allowing the breach to unfold – a bold PR move, for sure, and one we don't often see, perhaps for good reason.
A fierce debate ensued with infoseccers piling in on the biotech company for what some believed to be wayward comms that [9]reeked of victim-blaming . One PR expert told El Reg at the time that the company's response "missed the mark completely."
Others, meanwhile, supported the move, saying user negligence was indeed the reason for the breach.
Those responsible for the attack used credential stuffing methods to gain access to the circa 14,000 accounts. It's not always the easiest thing to pick up on given that valid credentials are used to log into accounts, but there are ways to detect and prevent it, such as deploying 2FA/MFA, and that undoubtedly will be one of the first questions regulators ask as the investigation gets underway.
[10]Guess the company: Takes your DNA, blames you when criminals steal it, can’t spot a cyberattack for 5 months
[11]Infosec experts divided over 23andMe's 'victim-blaming' stance on data breach
[12]23andMe responds to breach with new suit-limiting user terms
[13]Casio keyed up after data loss hits customers in 149 countries
23andMe only enabled [14]2FA by default on accounts in November 2023, a month after the breach first took place, which regulators may deem to have been one guardrail installed too late in the day.
The ICO and OPC said no further comment will be made about 23andMe until the investigation is over.
A spokesperson for 23andMe sent a statement to The Register : "23andMe acknowledges the joint investigation announced by the Privacy Commissioner of Canada and the UK Information Commissioner today. We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023." ®
Get our [15]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zmh0t7ydTSESWco5oZREsAAAAMg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zmh0t7ydTSESWco5oZREsAAAAMg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zmh0t7ydTSESWco5oZREsAAAAMg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2023/10/19/latest_23andme_data_leak_takes/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zmh0t7ydTSESWco5oZREsAAAAMg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/01/26/23_and_me_breach_filing/
[7] https://www.theregister.com/2024/05/28/breachforums_back_online/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zmh0t7ydTSESWco5oZREsAAAAMg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2024/01/04/23andme_victim_blaming_breach/
[10] https://www.theregister.com/2024/01/26/23_and_me_breach_filing/
[11] https://www.theregister.com/2024/01/04/23andme_victim_blaming_breach/
[12] https://www.theregister.com/2023/12/11/in_brief_security/
[13] https://www.theregister.com/2023/10/19/casio_data_theft/
[14] https://www.theregister.com/2024/01/04/23andme_victim_blaming_breach/
[15] https://whitepapers.theregister.com/
Information Commissioner has a time machine!
John Edwards, UK Information Commissioner, said: "People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected."
Difficult "to ensure the personal information of people in the UK is protected." after the fact, shirley?
"23andMe also took the curious step of blaming their own customers' poor security habits for allowing the breach to unfold – a bold PR move, for sure, and one we don't often see, perhaps for good reason."
23andMe were quite right.
2FA
How was this possible with 2FA ?
23andMe has always been
what in French is called "piège à cons". It can loosely translated as a trap for stupid persons but I find the translation rather mild to my taste.
Give away all your genetic profile just for fun. What were their customers thinking ? It seems 23 in the company's name shows the average IQ detected in their customers.
Just how were they supposed to detect the so-called "intrusion", which it wasn't, when the attackers were logging in using credentials that the users had used on other breached online services?
If I use the same passwords on all online accounts and people within a system to which an account has access share their genetic data with me, then they and I are at fault.
The 23 and Me customers are to blame. I belong to a number of geneaology groups and people are still constantly whining about having to go through the "unnecessary" process of MFA, despite so many of them having opened themselves up to this sort of attack.
This is no different to the Snowflake attack but the tone of articles covering the two incidents is very different. Why? They are exactly the same thing.