The data protection watchdogs of Britain and Canada are working together to uncover the facts behind last year’s 23andMe data breach.
The two-dog wolf pack of the Information Commissioner’s Office (ICO) and Office of the Privacy Commissioner of Canada (OPC) will investigate whether the biotechnology sector breach caused any customer harm, whether appropriate security measures were in place to address the incident and if they were sufficiently open with the supervisors at the time.
John Edwards, UK Information Commissioner, said: “People should be able to trust that any organization handling their most sensitive personal information has the right security and safeguards in place.
“This data breach had an international impact and we look forward to working with our Canadian counterparts to ensure that the personal information of people in Britain is protected.”
Edwards’ counterpart Philippe Dufresne, Canada’s Privacy Commissioner, echoed these words: “In the wrong hands, an individual’s genetic information can be misused for surveillance or discrimination. Ensuring that personal information is adequately protected from attack by malicious actors is a important concern for privacy authorities in Canada and the rest of the world.”
The genetics breach and lost family was one of the most shocking incidents of the year, with the number of affected individuals rising to almost 7 million after months of investigation.
It also came to light that the company failed to detect the attackers’ activity for five months and only became aware of a breach after seeing a post on Reddit about the stolen data, rather than its own internal cyber sleuths noticed the intrusion.
The cybercriminal using the alias “Golem” posted the data on BreachForums, apparently targeting Ashkenazi Jewish customers of 23andMe.
Golem went on to make a series of anti-Semitic statements and accusations against European politicians, as well as several comments referencing Zionism.
Whoever was behind the attack only compromised 14,000 accounts, but mass sign-ups for the platform’s DNA Relatives feature – which lets users browse others they may be related to – eventually gained access to millions of users.
The many different possible configurations of 23andMe’s detailed account privacy controls allowed the criminals to access various types of data about affected users. From the basic profile information you would expect to be included in a breach, to family trees and which chromosomes match which family member, highly sensitive information was at risk of being stolen.
23andMe also took the curious step of blaming the poor security habits of their own customers for allowing the breach to occur – a bold PR move, certainly, and one we don’t see often, perhaps for good reason.
A fierce debate ensued, with infoseccers slamming into the biotech company over what some saw as opinionated communications that smacked of victim blaming. A PR expert told it El Reg at a time when the company’s response “completely missed the point.”
Others, meanwhile, supported the measure, saying user negligence was indeed the reason for the breach.
Those responsible for the attack used credential stuffing methods to gain access to the approximately 14,000 accounts. It’s not always the easiest thing to spot as valid credentials are used to log into accounts, but there are ways to detect and prevent this, such as deploying 2FA/MFA, and that will undoubtedly be one of are the first questions that supervisors ask. as the investigation progresses.
23andMe only enabled 2FA by default on accounts in November 2023, a month after the breach first occurred, which regulators said may have been a guardrail installed too late in the day.
The ICO and OPC said no further comment will be made about 23andMe until the investigation is over.
A spokesperson for 23andMe sent a statement to The register: “23andMe acknowledges the joint investigation announced today by the Privacy Commissioner of Canada and the UK Information Commissioner. We intend to cooperate with the reasonable requests of these regulators regarding the credential stuffing attack reported in October 2023 discovers.” ®