General Data Protection Regulation (GDPR) , Incident & Breach Response , Security Operations

Privacy Regulators Probe Impact of 23andMe's Mega Breach

6.9 Million Individuals' Genetic Details Stolen via 2023 Credential Stuffing Attack
Privacy Regulators Probe Impact of 23andMe's Mega Breach
A credential stuffing attack against 23andMe led to the theft of genetic data pertaining to 6.9 million users. (Image: Shutterstock)

Privacy regulators in the U.K. and Canada have launched a joint investigation into 23andMe after the direct-to-consumer genetic testing service suffered a massive data breach in October 2023.

See Also: Meeting the Mandate: A Proactive Approach to Cybersecurity Compliance and Incident Reporting

Britain's Information Commissioner's Office and the Office of the Privacy Commissioner of Canada said they'll jointly investigate the publicly traded company's compliance with their respective data protection laws and the impact of the breach, which exposed ancestry information for 6.9 million individuals.

The ICO and OPC said they'll review the scope of information exposed and the potential risk it poses to individuals, whether 23andMe had sufficient safeguards in place to protect that data, and whether it correctly notified affected individuals and U.K. and Canadian regulators about the breach.

The ICO said the data being stored by 23andMe "can reveal information about an individual and their family members, including about their health, ethnicity and biological relationships." Once exposed, such data might pose a permanent risk to individuals, given that one's genetic information never changes.

"People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place," said U.K. Information Commissioner John Edwards. "This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected."

"We intend to cooperate with these regulators' reasonable requests relating to the credential stuffing attack discovered in October 2023," 23andme said in a statement.

That breach exposed information for 6.9 million customers who opted into 23andMe's DNA Relatives feature, which can be used to identify relatives on any branch of an individual's family tree, up to eight generations back. Exposed information included "family tree" profile information, which contains names, relationship labels, birth year, self-reported location and the user's decision to share their information.

In October 2023, 23andMe first reported that about 140,000 of its users had fallen victim to credential stuffing attacks, meaning attackers logged into accounts for which users had reused their username and password elsewhere.

Subsequently, 23andMe found that after gaining access to those accounts, an attacker successfully scraped profile information for half of the site's 14 million users, which they then offered for sale. The leaked data, according to media reports, featured individuals with certain DNA ancestry backgrounds, including 1 million lines of code about people with Ashkenazi Jewish DNA ancestry.

"In the wrong hands, an individual's genetic information could be misused for surveillance or discrimination," said Canadian Privacy Commissioner Philippe Dufresne. "Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world."

The regulators didn't define the potential duration of their probe. "Each regulator will investigate compliance with the law that it oversees," their joint statement said. "No further comment will be made while the investigation is ongoing."

Defenses Against Credential Stuffing

As the 23andMe data breach demonstrates, attackers continue to use credential stuffing attacks, often obtaining known username and password pairs via public data leaks (see: 71 Million Unique Emails Found in Naz.api Cybercrime Dump).

Such attacks can be highly automated, rapidly executed and difficult for downstream organizations to block, unless they take proactive steps to detect and prevent them, which security experts have long recommended they do (see: Credential Stuffing Attacks: How to Combat Reused Passwords).

One defensive strategy is to force users to pick unique passwords. Since August 2017, the U.S. National Institute for Standards and Technology has recommended users never pick a password that has previously appeared in a known data breach. To help, Australian developer Troy Hunt that year launched a free service called Pwned Passwords, which allows users to test possible passwords against a database that contains hashes of hundreds of millions of passwords known to have been leaked, assembled from numerous public and private data leaks. The service, which can be accessed via an API, includes hashes of passwords obtained by the FBI and Britain's National Crime Agency during the course of their investigations.

Another proven defense against credential stuffing is multifactor authentication. Even if an attacker possesses a working username and password pair, an MFA check will prevent them from accessing the account. While attackers can attempt to bypass MFA defenses, doing so takes much more time and technical acumen, thus decreasing the likelihood they might attempt to do so or succeed (see: Multifactor Authentication Bypass Attacks: Top Defenses).

Since 2019, 23andMe has offered customers the ability to secure their accounts using two-factor authentication via either an authenticator app or one-time code sent to their registered email address, although the service didn't make TFA mandatory. That changed last November, when 23andMe said all new accounts would be automatically enrolled in TFA via email, after which they could switch to using the authenticator app if preferred.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.