23andMe, the DNA testing company, faced a significant data breach last year, but shockingly, it took them five months to detect the intrusion. The breach, which occurred between May and September 2023, was only discovered in October of the same year. This revelation came to light through a data breach notification filing made by the company recently.
Late Discovery of the Breach
According to the filing, hackers initiated the attack in May 2023 and continued their illicit activities until September of the same year. This breach affected nearly 7 million users, roughly half of 23andMe’s customer base. The company’s awareness of the breach was triggered by the discovery of stolen customer data being advertised on platforms like Reddit and dark web forums, as outlined in the filing.
Response to the Breach
Upon learning about the breach in October, 23andMe promptly launched an investigation into the matter and engaged federal law enforcement agencies. The company took immediate action by mandating all customers to reset their passwords on October 10. Furthermore, on November 6, it enforced two-step verification for both new and existing customers. Despite these measures, the breach had already exposed sensitive customer information, particularly related to their ancestry.
Blaming the Customers
In its investigation findings, 23andMe attributed the breach to a method known as “credential stuffing,” where hackers exploit previously compromised user credentials to gain unauthorized access to systems. However, the company seemingly shifted blame onto its customers, accusing them of negligence in password management. According to reports, 23andMe sent a letter to a group of victims, suggesting that customers had failed to update their passwords, exacerbating the security vulnerability.
Fallout and Legal Ramifications
The revelation of the data breach led to a series of lawsuits against 23andMe from affected customers seeking restitution for the compromised security of their personal information. The company, founded in 2006, gained prominence for its genetic testing services that offered insights into ancestry, genetic predispositions, and inherited traits. Despite assurances of data anonymization and user consent for data sharing with third parties, the breach has undoubtedly shaken customers’ trust in the company’s commitment to data security.
Ongoing Concerns and Response
Despite attempts to address the breach and mitigate its impact, 23andMe’s response has raised questions about its approach to cybersecurity and customer accountability. As the fallout from the breach continues to unfold, the company faces scrutiny over its handling of sensitive customer data and the adequacy of its security measures. With growing concerns about data privacy and protection, 23andMe must prioritize robust security protocols and transparent communication to regain the trust of its user base.
Leave a Reply