23andme breach blog

What Businesses Can Learn From 23andMe’s Breach Response

Every business and IT leader dreads the day they’re forced to respond to a serious data breach. Those unfortunate to experience such an incident should have a well-rehearsed set of protocols and processes to work through as part of their incident response plan. But even this may not mitigate what comes next.

A recent breach at DNA testing firm 23andMe offers some interesting insight on why reputation management and crisis comms should be a core part of incident response.

What Happened?

The first that customers heard of the breach was in October, when the San Francisco-based biotech firm revealed it was investigating claims that hackers had compromised a large volume of user data. At least one threat actor had been actively looking to sell what it claimed to be a trove of 300TB of user data since August. Millions of records were apparently put up for sale on the dark web.

It later transpired that hackers initially breached the accounts of around 0.1% of its customer base, or 14,000 customers, through a classic “credential stuffing” technique. In other words, they obtained credentials that the customers had reused across multiple accounts and used them to unlock their 23andMe profiles.

“Using this access to the credential stuffed accounts, the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online,” the firm continued.

23andMe later confirmed that a total of 6.9 million individuals were impacted. In other words, by compromising one account through credential stuffing, the hacker was able to access data on that user and their relatives, greatly increasing the scope of the breach.

For most victims, the stolen data included their name, birth year, relationship labels, percentage of DNA shared with relatives, ancestry reports and self-reported location. Perhaps unsurprisingly, this incident spawned dozens of class action lawsuits.

23andMe’s Response

This is where things start to become more controversial. A letter sent by 23andMe’s lawyers to breach victims on December 11 appears to blame the latter for the breach. First, it claims that “users negligently recycled and failed to update their passwords” following past breaches; enabling the credential stuffing attacks.

“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter adds.

Next, the firm’s lawyers claim that even if a violation did occur, it has been remediated. 23andMe reset all affected passwords and now mandates that users use two-factor authentication (2FA) when logging in.

Finally, they argue that any information accessed by hackers “cannot be used for any harm”.

“The information that the unauthorized actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, driver’s license number, or any payment or financial information),” the letter notes.

Experts aren’t so sure. CyberSmart CEO, Jamie Akhtar, claims this argument “isn’t grounded in the reality of modern cyber threats”.

“Such data could easily be used by cyber-criminals to launch social engineering campaigns or even to gain access to an individual’s financial services,” he tells ISMS.online. “Many people use Mother’s maiden name as an additional security question.”

There are also question marks over the decision to portray the breach victims as solely to blame for the incident. Even if the 0.1% whose accounts were compromised by credential stuffing are partially culpable, those millions who had their DNA information subsequently scraped have no case to answer, lawyers for the defendants claim.

“23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever,” argues Hassan Zavareei, one of the lawyers representing these victims.

“23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing – especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform.”

These measures could have included mandatory 2FA for logging in, something the firm subsequently introduced. Another potential way to mitigate customer account compromise is to run checks against databases of previously breached credentials, such as via an API for the HaveIBeenPwned? site.

A Bad Day for PR

All of which illustrates why rigorous crisis comms and reputation management should be part of your organisation’s incident response processes. According to IBM, the cost of lost business – which includes the cost of lost customers and acquiring new customers, as well as reputation losses and diminished goodwill – represents nearly a third (29%) of the average cost of a data breach.

Yvonne Eskenzi, co-founder of security PR agency Eskenzi PR, argues that 23andMe’s letter was likely driven by its legal department, but risks angering customers and fuelling a popular backlash against the company.

“A breach statement should never be the news,” she tells ISMS.online.

“Breaches appear in the news every day. However, the statements are usually so mundane that they don’t appear as a talking point. They should be factual and drawn on by journalists and customers for information, not speculation. Highlight what is being done and what customers can do, rather than accentuate the negatives.”

Six Steps to Better Incident Response Comms

Best practice cybersecurity standards like ISO 27001 can help your organisation to design and implement comprehensive incident management programmes. But there’s always room for improvement.

Here are a few tips from Eskenzi:

⦁ Put a crisis comms plan in place: It should include the contact details of key stakeholders and what they will oversee, guidance for employees, and plans for monitoring social, media and customer channels
⦁ Conduct crisis simulations with a third party: They will provide feedback and help to pre-empt issues
⦁ Avoid accusing victims: Post-breach, you should instead examine security practices and implement steps to prevent a similar incident from happening again, and then communicate this
⦁ Ensure all public-facing communications are factual, informative and timely: Avoid speculation, outline what steps are being taken to avoid a breach occurring again, and provide practical advice on how impacted parties can protect themselves
⦁ Don’t shy away from apologising: Sincere apologies and meaningful action can demonstrate empathy, restore trust and improve brand perception
⦁ Ensure communications departments lead on all external comms: Legal input should be restricted to reviewing their output, not the other way around

Streamline your workflow with our new Jira integration! Learn more here.