January 22^nd – The DNA testing company 23andMe recently made headlines on account of two data breaches that exposed highly sensitive genomics data belonging to millions of customers.

In an unprecedented move, the company blamed breach victims, telling them that the theft of data is their own fault. The ‘customer-is-at-fault’ position is based on the idea that customers were lax when it came to reusing passwords.

“That is, users used the same usernames and passwords…on 23andMe.com as on other websites…” the company’s attorneys said.

23andMe’s stance, widely criticized

In general, organizations have a fiduciary obligation to protect collected, sensitive and confidential information belonging to users, employees and other stakeholders; making use of robust internal controls and technology applications in the process.

“Attributing the entirety of blame to users is a flawed argument…While it is true that users have an obligation to follow best practices for account safety, companies also have an obligation to protect the sensitive information that has been entrusted to them,” says cyber security expert Erfan Shadabi.

Password reuse is a known and chronic issue. Businesses need to facilitate cyber security best practices among users, have fail-safes in-place that protect accounts and alert admins when password spraying tactics are used.

23andMe data, malicious use

Lawyers for 23andMe have said that the breached information cannot be used for harm; an assertion that appears to have been made without full knowledge of how the cyber threat landscape operates.

The compromised information can potentially be used for insurance fraud, identity theft, social engineering campaigns and for other malicious purposes, given that it was composed of data about people’s ancestry, genetic makeup, family relations and health conditions.

“From a crisis comms standpoint, 23andMe’s response to its breach misses the mark completely,” says PR expert Yvonne Eskenzi.

Attack prevention, best practices

This kind of breach can be prevented. Industry experts recommend the following:

• Because practices like password recycling are highly prevalent among consumers, consider making multi-factor authentication (MFA) a mandatory component of the log-in process.According to Microsoft, MFA can block over 99.9% of account compromise attacks.
• To strengthen account-based technical controls, implement behavior and anomaly detection.Hackers are becoming adept when it comes to staying below the radar and masquerading attacks as part of normal network traffic flows.Traditional edge web defenses don’t have the behavioral anomaly detection required, in many instances, to detect adversarial activity.

  Add behavioral threat protection to security infrastructure, which helps to combat a new generation of threats.

• Consider passwordless technologies, such as biometrics and passkeys.

For more on this story, click here.