23andMe Cyber Attack
Date: 21 March 2024
23andMe, the genomics and biotechnology giant suffered a massive data breach in 2023. Genetic data of almost 7 million individuals was compromised. We've collated all the information available in the public domain to design this easy-to-read and visual 23andMe Cyber Attack Timeline document and summary image.
Studying past cyber-attacks can unravel little nuggets of wisdom which we can then use to further strengthen our defences against similar attacks in the future. It is only with this objective that, we, at Cyber Management Alliance regularly create educational cyber-attack timelines.
What happened in the case of 23andMe and how did the genetic data of almost 7 million customers get compromised? How did the company respond? And what were the primary reasons behind the serious backlash it faced in the wake of this data breach?
Our detailed 23andMe Cyber Attack Timeline Document and Summary Image aim to answer these questions in a visual and easily readable format. We've organised all the information in a chronological order for easier consumption.
The idea, as always, is not to discuss the victim. But to learn lessons from recent cyber, attacks, data breaches and ransomware attacks. The historical perspective that cyber attack timelines offer into the tactics and techniques of current threat actors is significant for building better Cyber Incident Response strategies. You can also use these Attack Timelines as inspiration to create Cyber Attack Tabletop Exercise Scenarios for your business.
Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.
About the 23andMe Data Breach
In August 2023, the threat actor known as Golem on Breach Forums, claimed to have stolen 300 TB of 23andMe data. In October, the company confirmed that its data had indeed been breached. It suggested that threat actors had unleashed a credential stuffing attack using exposed credentials from past attacks to compromise the data of 23andMe customers.
Stolen data that emerged from the leak, apparently, matched with public genealogy records. Later, it also became apparent that the number of users whose data had apparently been compromised totaled to a whopping 6.9 million.
Unfortunately, the attackers had specifically targetted minority groups, posting detailed information about individuals of Ashkenazi Jewish and Chinese descent on the dark web. The magnitude of the breach has been vast and its implications go beyond the fact that data was leaked. The kind of data that was leaked gave the breach a highly politicised undertone. It included:
- Names, profile photos, birth years, locations,
- Family surnames, grandparents' birthplaces, ethnicity estimates,
- Mitochondrial DNA haplogroup, Y-chromosome DNA haplogroup
Experts have said that the 23andMe data breach has given cyber attacks of this nature a 'total paradigm shift'. Many are worried that the kind of information that has been leaked could be used to target specific ethnic groups or individuals originally hailing from specific Nation States.
Lessons Learned from the 23andMe Cyber Attack
Like every business in such a position, 23andMe took immediate steps to mitigate the damage. It encouraged users to reset their passwords and implement two-factor authentication. It also disabled some features within the DNA Relatives tool, besides engaging third-party cyber incident response experts and informing federal law enforcement.
Yet, the incident has led to multiple lawsuits against 23andMe. Customers are alleging that 23andMe violated privacy laws by failing to sufficiently their most intimate data.
The company also, apparently, sent letters to customers taking to legal recourse. It, allegedly, hinted that the data breach was caused not by its own security shortcomings but because many customers “negligently recycled and failed to update their passwords”.
It soon received serious backlash. Experts pointed out that 14,000 customers belonged to the group whose old exposed passwords had been used for the credential stuffing attack. Yet, records of almost 6.9 million 23andMe customers were ultimately breached.
Attorneys and genetic privacy experts alleged that intimate and sensitive data of this sort should have been better protected by 23andMe. The company, apparently, took months before noticing the anomalies in its network.
Customers continue to pin blame on the lax security of the organisation, its inability to accurately assess the severity and vastness of the breach. Many are also saying the organisation should have informed Jewish and Chinese descent customers that they were specifically targeted so they could be aware of the threats that could come as an upshot of this attack.
The lessons from this attack and the ensuing negative reactions can be summed up as follows:
1. Prioritise data protection: Every business handling sensitive information must already be aware of how critical it is to protect their data. Yet, new data breaches come to light every other day. No matter how well protected you feel you may be, never be complacent.
Enlist the help of external cybersecurity specialists like our Virtual Cyber Assistants. You can easily and affordably access support of deeply experienced cybersecurity practitioners who can help you improve your cybersecurity maturity significantly. They will help you evaluate and assess your current breach readiness and assist you in filling the gaps identified most suitably.
2. Cyber Incident Planning and Response: No denying that what happened to 23andMe could happen to any organisation. However, as experts tend to suggest, the response could have been better and perhaps, in this situation, more sensitive. Even subtly pinning the blame on customers is never a good idea.
If you deal with particularly sensitive and personal information, ensure that your Cyber Incident Response Plan takes that into account. Lay special emphasis on Communication and ensure that your plan makes space for handling a data breach with enhanced sensitivity and caution.
3. Test your Incident Response Protocols: Merely having an Incident Response Playbook and Plan or adequate security controls is never enough. You must regularly validate the effectiveness of your security measures and policies through regular tests. Cyber Attack Tabletop Exercises, Cybersecurity Audits and Assessments, Penetration Tests - they must all be conducted at sufficiently regular intervals.
And don't give in to the temptation of conducting these tests internally. Because the kind of deep real-world expertise and objective and unbiased opinion that an external practitioner can bring can never be replicated by internal staff.
You can also use any of the free resources created by our cybersecurity experts to start building better cyber resilience today:
- Top Cyber Tabletop Exercise Scenarios
- Cyber Tabletop Exercise PPT
- Cyber Tabletop Exercise Template
- Ransomware Incident Response Playbook
Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.