The recent data breach at prominent genetic testing service, 23andMe, has exposed not just user data but also critical vulnerabilities in the framework of digital genetic databases.
While the breach itself is disconcerting, what it reveals about the cybersecurity posture of online services that handle sensitive data is even more unsettling.
The data obtained in this breach did not include genetic information but revealed details such as display names, birth years, and sexes of the users.
What happened?
Ealier this month, 23andMe acknowledged the data breach in a blog post, identifying "credential stuffing" as the method of intrusion. In this type of attack, cybercriminals exploit leaked usernames and passwords from previous breaches to gain unauthorised access.
Initially, the breach affected specific ethnic groups, with one million accounts of Ashkenazi Jewish descent and 100,000 of Chinese descent being targeted.
Later revelations indicated a wider impact, with an additional four million general accounts compromised.
It was noted that the compromised accounts had enabled the optional "DNA Relatives" feature, making the data richer and potentially more exploitable.
The recent @23andMe incident was credential stuffing so it only impacted those with reused creds and no 2FA, right? No, because the service enables connections between people you could have all your security spot on but someone else doesn't and now your data is impacted. pic.twitter.com/PmeasuAKJx— Troy Hunt (@troyhunt) October 25, 2023
Security implications
The absence of a comprehensive federal framework to safeguard users of such genetic testing sites leaves a gaping hole in cybersecurity policy.
From a cybersecurity perspective, the optional nature of security features like two-factor authentication (2FA) comes across as a lackadaisical approach to a multi-layered problem.
Security shortcomings and recommendations drawn from the attack are:
- Lax authentication mechanisms: The attack vector exploited the weakest link in cybersecurity—human error. 23andMe should enforce two-factor authentication (2FA) for all users.
- Optional security features: Offering essential security measures like 2FA as optional extras undermines data protection. These features should be mandatory.
- User behavior: 23andMe's current approach puts the burden of security on the user. This is not sustainable. The service should routinely educate its user base on the necessity of employing strong, unique passwords.
- Periodic security audits: The lapse points to a glaring need for regular security audits to preemptively identify vulnerabilities.
Recommendations for users:
- Unique passwords: Use a password manager to ensure every account has a unique, strong password.
- Two-factor authentication: Always opt for additional layers of security, such as 2FA.
- Optimal use of features: If you are not using features like "DNA Relatives," it is advisable to disable them to reduce your data footprint.
Final thoughts
The 23andMe incident underscores the importance of robust cybersecurity practices in safeguarding sensitive personal data.
While individual user measures can mitigate some risks, the onus of ensuring comprehensive security must lie with the service provider.
Periodic assessments, regular updates, and a mandatory multi-factor authentication policy could provide a more robust security framework.
In an era where data is as valuable as any currency, taking a proactive rather than reactive approach to cybersecurity is not just advisable, but imperative.