Navigating the Landscape of Privacy and Security in the Digital Age
After first disclosing the data breach in October, 23andMe revealed in December that personal data from 6.9 million users was impacted in the incident. The breach originated from attackers compromising approximately 14,000 user accounts, which subsequently granted unauthorized access to information voluntarily shared by users in a social feature the company calls DNA Relatives.
Attackers began compromising customers’ accounts as early as April and continued their intrusion efforts through much of September. Shockingly, the company failed to detect any suspicious activity during this period, allowing the attackers to operate undetected for five whole months.
The 23andMe Data Breach: A Wake-Up Call for All
Contrary to 23andMe’s initial blame on users for setting weak or reused passwords, research showed that the data breach is the result of a credential stuffing attack (in which an attacker uses leaked username-password combinations from other sites to break into 23andMe accounts), exposed a vast amount of personal information, including the DNA results of its users.
In this case, it appears that key company employees, who reused passwords across multiple platforms, fell victim to the breach, allowing unauthorized access to their 23andMe accounts and more than 92 million users’ information.
The implications of the breach are profound, as some of the most personal data possible was compromised. Per the company’s statement to Techcrunch, this included “the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location” for roughly 5.5 million people who opted into the “DNA Relatives” feature, which automatically shares some information with other users.
The incident underscores the need for robust cybersecurity measures to protect personal data in an increasingly sophisticated era of online threats.
Learning from the 23andMe Breach: Key Takeaways
1. Prioritize Cybersecurity from Day One
The 23andMe incident highlights the critical importance of integrating robust cybersecurity measures from a business’s inception. Implementing encryption, firewalls, and multi-factor authentication should be standard practice.
2. Understand the Value of the Data You Hold
Recognize the true worth of the data you collect and store. In the case of 23andMe, the breach exposed not only personal information but also highly sensitive genetic data. Understanding the value of the data you hold, where it is being stored, and who has access to it enables you to prioritize its protection effectively.
3. Comply with Data Protection Regulations
Adhering to data protection regulations, such as HIPAA and the NY Shield Act, is non-negotiable. Regularly audit your data protection practices to ensure they align with the latest regulations.
4. Foster a Culture of Security Awareness
Employees are often the first line of defense against cyber threats. Fostering a culture of security awareness ensures that every team member understands their role in protecting sensitive data.
Preventing Credential Stuffing Attacks: Practical Steps
1. Implementing Two-Factor Authentication (2FA):
Thwart credential stuffing attacks by implementing two-factor authentication. 2FA adds an extra layer of security, requiring users to provide two forms of identification before accessing their accounts.
2. Employee Education on Password Hygiene:
Educate employees on proper password hygiene. Discourage password reuse across multiple platforms, enforce strong password policies, and encourage the use of password managers.
3. Continuous Monitoring and Anomaly Detection:
Implement continuous monitoring and anomaly detection systems to identify unusual patterns of access or behavior that may indicate a credential-stuffing attack.
Are you worried about the 23andMe hack? Here’s what you can do.
If you’re concerned about the leak, there are a few things you can do to keep yourself safe.
- Change the password on your account immediately.
- Evaluate your online sharing practices. If you’re a 23andMe user, you can opt out of DNA Relatives by selecting the Manage Preferences option within DNA Relatives or from your Account Settingspage. Granted, this will remove your ability to gain deeper genetic insights from other users, yet it will offer additional protection if a similar attack occurs.
- Consider a Privacy and Security Cleanup. Shut down old accounts that you no longer access or need. A tool like McAfee’s Online Account Cleanupcan help remove your info from online accounts.
Cybersecurity does not have to be complicated.
The 23andMe data breach is a stark reminder of the ever-present threat to personal information. Implementing two-factor authentication, educating employees and clients on password hygiene, and actively monitoring for anomalies are essential steps to prevent data breaches from happening to your business.
Partner with a managed service provider like Meeting Tree Computer to monitor your systems, take preventative action, and work with professionals to install proper IT security strategies today. Call us at 845-237-2117. We’re here to help.
