Lucy Burrows comments on 23andMe’s response to its data breach in ITPro

Associate Lucy Burrows provides insight on the 23andMe data breach and highlights the danger of firms blaming consumers instead of their own insufficient data protection practices in ITPro.

Lucy’s comments were published in ITPro, 4 January 2024, and can be found here.

“The hackers used a technique known as credential stuffing. Whilst the technique has been met by a distinct lack of prosecutions in the UK, in 2021 the French Data Protection Authority imposed a fine of €150,000 on a data controller and €75,000 on a data processor for failure to protect customers’ personal data against credential stuffing, demonstrating there is a level of accountability imposed on the data controller and processor with regards to preventing such attacks.
 
“There are three specific layers of measures 23andMe could have implemented to prevent the credential stuffing attack: bot detection, breached password detection, and multi-factor authentication.

“At this stage, it is unclear whether 23andMe had these security measures implemented at the time of breach, although the company has since made multi-factor authentication mandatory. You would think, given the sensitivity of the data that the company handles, that these security measures would be in place already.
 
“It is extremely damaging for 23andMe to blame their customers, especially in a climate where consumer trust in how companies safeguard data is rapidly eroding. This seems to be an attempt to discourage customers from pursuing legal action against them, which we have already seen through updates to their US terms of service.

“23andMe is certainly not justified in its response. Instead of blaming customers, the company should take responsibility, be transparent about the breach, and work to regain customer trust through improving their security measures.”