23andMe Says Breach Victims Are to Blame Legal Action is Futile
pHome Security Data Protectionpp
pp
Michael Edgar pp
05 January 2024
1237pm
ppMonths after the San Francisco based company experienced a data breach impacting about 69 million users 23andMe is now facing criticism for blaming victims of the breach and discouraging legal action ppThe crux of the argument from 23andMe is an interpretation of the California Privacy Rights Act CPRA which requires businesses to implement procedures for collecting sensitive data The law however remains vague on what constitutes reasonable security pp23andMe therefore claims in an open letter that it is not responsible for any security breach and rather contends that users who negligently recycled and failed to update their passwords after past security incidents bear responsibilityppWe urge you to consider the futility of continuing to pursue an action in this case read the letter ppThe exploit was a result of credential stuffing where threat actors gained access to 14000 accounts by using emails and passwords lifted from from past data breachespp From there they were able to access information from users who opted into the DNA Relatives feature which allows relatives to access eachothers information leading to about 69 million breached users ppDespite 23andMes assertion that the accessed information posed no threat lacking information such as social security numbers or financial information more than 30 lawsuits have been filed against the companyppAttributing the entirety of blame to users is a flawed argument that oversimplifies the complex landscape of cybersecurity said Erfan Shadabi cybersecurity expert at comforte AGppAccording to him while users do have an obligation to follow best practices for their own safety companies also have an obligation to protect the sensitive information that has been entrusted to themppSpeaking with TechCrunch the attorney of over 100 of the victims Hassan Zavareei called the companys response shameless ppThe classaction lawsuit argues that 23andMes security measures were inadequate and that the company was aware of common user practices and should have implemented safeguards against credential stuffing ppThe attorney insists that most victims are blameless having their data exposed through the DNA Relatives feature not due to recycled passwords ppZavareeis firm is seeking damages exceeding 5 million for the loss of personally identifiable information costs associated with remediating the breach and emotional distressppIn this age of sophisticated social engineering attacks any claim that a data breach can not cause pecuniary harm because it did not consist of social security numbers drivers license number or credit card data has to be done tongue in cheek said Nick Rago field CTO at Salt SecurityppAccording to him these attacks dont take much information to be effective and the rise of AI technologies can help threat actors craft social engineering attacks out of information like genealogy or relationship information ppAs the legal battle unfolds 23andMe faces growing scrutiny and a potentially significant financial burden The companys response to the breach continues to draw scrutiny leaving users seeking accountability and resolution pp
Michael Edgar pp
Staff Writer DIGIT
ppExplore ppSubscribe to pp 2024 DIGITp
pp
Michael Edgar pp
05 January 2024
1237pm
ppMonths after the San Francisco based company experienced a data breach impacting about 69 million users 23andMe is now facing criticism for blaming victims of the breach and discouraging legal action ppThe crux of the argument from 23andMe is an interpretation of the California Privacy Rights Act CPRA which requires businesses to implement procedures for collecting sensitive data The law however remains vague on what constitutes reasonable security pp23andMe therefore claims in an open letter that it is not responsible for any security breach and rather contends that users who negligently recycled and failed to update their passwords after past security incidents bear responsibilityppWe urge you to consider the futility of continuing to pursue an action in this case read the letter ppThe exploit was a result of credential stuffing where threat actors gained access to 14000 accounts by using emails and passwords lifted from from past data breachespp From there they were able to access information from users who opted into the DNA Relatives feature which allows relatives to access eachothers information leading to about 69 million breached users ppDespite 23andMes assertion that the accessed information posed no threat lacking information such as social security numbers or financial information more than 30 lawsuits have been filed against the companyppAttributing the entirety of blame to users is a flawed argument that oversimplifies the complex landscape of cybersecurity said Erfan Shadabi cybersecurity expert at comforte AGppAccording to him while users do have an obligation to follow best practices for their own safety companies also have an obligation to protect the sensitive information that has been entrusted to themppSpeaking with TechCrunch the attorney of over 100 of the victims Hassan Zavareei called the companys response shameless ppThe classaction lawsuit argues that 23andMes security measures were inadequate and that the company was aware of common user practices and should have implemented safeguards against credential stuffing ppThe attorney insists that most victims are blameless having their data exposed through the DNA Relatives feature not due to recycled passwords ppZavareeis firm is seeking damages exceeding 5 million for the loss of personally identifiable information costs associated with remediating the breach and emotional distressppIn this age of sophisticated social engineering attacks any claim that a data breach can not cause pecuniary harm because it did not consist of social security numbers drivers license number or credit card data has to be done tongue in cheek said Nick Rago field CTO at Salt SecurityppAccording to him these attacks dont take much information to be effective and the rise of AI technologies can help threat actors craft social engineering attacks out of information like genealogy or relationship information ppAs the legal battle unfolds 23andMe faces growing scrutiny and a potentially significant financial burden The companys response to the breach continues to draw scrutiny leaving users seeking accountability and resolution pp
Michael Edgar pp
Staff Writer DIGIT
ppExplore ppSubscribe to pp 2024 DIGITp
