23andMe told victims of data breach that suing is futile

23andMe told victims of data breach that suing is futile(arstechnica.com)

52 points by leemailll 2 years ago | 33 comments

noduerme 2 years ago |

To be clear, the victims of this breach may be targeted for much more than just identity theft or monetary losses, given the way the stolen data has been deployed. This was the first ever industrial-scale attempt to target people of a specific ethnicity using genetic data to identify and "doxx" them for potential hate crimes.

https://www.nbcnews.com/news/us-news/23andme-user-data-targe...

One could easily see, e.g. a citizen of a middle eastern country who had some surprising Ashkenazi background being targeted for death as a result of this.

jacquesm 2 years ago | |

Exactly. The number of people making light of this in this thread is unsettling, to put it mildly. If that's the 'tech savvy' crowd then you have to really worry about everybody else. The parallels with the Dutch citizen registry story from WWII are just too much to ignore.

noduerme 2 years ago | | |

Jacques, I respect you, but I'm already apparently living in a world where my genetic markers make me feel like a rabbit-on-the-run, or at least they force me to pre-emptively apologize for other people with similar genes when I want to travel in most countries. I'm not going to be overly concerned about the constituents of this thread; their views are incoherent, but if they had much power to influence anything, they wouldn't be wasting their time writing here, and neither would we.

Perhaps a better way to say this is that 'tech savvy' posters are the least likely to have a good handle on mainstream feelings, and I definitely feel safer among normal people than those who consider themselves arguers for technological progress without a supporting philosophy.

[edit] I had a dream last night that the front of my house was all glass, including the ceiling. And I was on the couch with my girlfriend reading books when a Hamas protest came down the street, waiving green flags. They took positions on the roof of the school across from me, and they were pumping the air with AK47s and shouting slogans, looking down into our glass house and waiting for us to respond. We looked at each other and tried to make ourselves small and we did not want to respond to their slogans. They became more and more agitated that we were refusing to agree with them. We knew that we were marked for death. Then the police showed up and they moved down the street, chanting the same things.

This is a small story. My father, stupidly, put his genes on this website without asking his children; thus I was a victim of this data breach (we're not surprisingly 90% Ukrainian/Belarusian/Ahskenazi Jewish and oddly 10% Irish). But what does it mean to dream people shouting a slogan that you'll either shout with them or die, into the glass living room of your house? It feels like a perfect metaphor for the time we're living in. I wish everyone in the world had that dream so they could understand what it feels like to be a true rebel who is alone against a mob.

jacquesm 2 years ago |

We'll see how the EU data protection offices feel about that. Just imagine having something like this happen and then giving your customers the finger. The lack of ethics is impressive. I sincerely hope they get fined into oblivion as a nice example to the next medical company that doesn't understand their responsibilities towards their users.

ticulatedspline 2 years ago | |

And what exactly where their responsibilities that they failed to understand?

jacquesm 2 years ago | | |

That they should have offered (and enforced) 2FA from day #1 because users will re-use passwords because they are utterly unaware of the implications of doing that. A company the size of 23andme in charge of a very large amount of medical data and PII should be aware of those implications. To blame the users here is beyond stupid and irresponsible.

You don't engineer a service like 23andme without doing some risk assessment and one of the risks they should have identified and mitigated is password re-use by Joe Average because Joe Average (and his mom) were exactly the demographic that they targeted. Anybody that was somewhat sensitive to the privacy risks wouldn't have used the service in the first place.

chii 2 years ago |

even if there's no financial compensation for the victims, it makes sense to make an example out of a company that doesn't actually take data privacy and security seriously.

ticulatedspline 2 years ago | |

It would be dangerous precedent though. assuming they have a reasonable password policy it seems the breach was in no way related to a failure by 23 and me.

they even offer 2 factor https://customercare.23andme.com/hc/en-us/articles/360034119...

sure they could do better, but are they legally required to be better? They could force 2fa, or 3fa, or 4fa, and disable accounts that go inactive for more than a week and require a validating DNA sample in the mail to reactivate.

if they're "made an example of" what exactly does that mean? at what point is an entity legally responsible for the irresponsibility of it's users?

noduerme 2 years ago | | |

I think it's more a question of encrypting data on the backend. The data wasn't stolen by phishing 16 million individual users' passwords. Companies that deal with sensitive genetic data should be subject to the same level of HIPAA compliance as those that deal with medical data, for instance.

tjpnz 2 years ago | |

The allegation is that they weren't taking reasonable steps to safeguard customer data under California law, the problem is that it's not stated what reasonable is. What's needed here are clearer regulations.

jacquesm 2 years ago | | |

Common sense tells you that if you set up a service for the gullible to send you their DNA that none of your customers are going to be security and privacy conscious. You need to engineer your service accordingly.

anotherhue 2 years ago |

If some authority doesn't roll out the guillotine for this one then we should all just give up believing citizens are important in the eyes of the state.

I think we all know the answer already.

synicalx 2 years ago |

From what I understand, the hack was due to a large number of people re-using passwords and the company doing nothing to prevent or detect this.

Security practices and their ludicrously bad response aside, I cannot fathom why someone would send their literal DNA to a company and then take no steps to secure that information. Is technical literacy really this poor amongst the general population? Even my retiree dad who can't reliably turn on his TV on knows about MFA.

cassianoleal 2 years ago | |

> the company doing nothing to prevent or detect this.

How would they do that?

I'm not defending 23andMe but I really don't see how a service can detect that the password I chose on their website is the same I chose on a different one. Not without: a) them knowing what my chosen password is; and b) them knowing my passwords on other websites.

ticulatedspline 2 years ago | | |

I have been defending them but there are things they could do, though I don't think they should be legally required to do so.

Where I work the security team monitors PW leaks and run them against our userbase if we find matches we lock their accounts and force a reset, that password also goes into a file and becomes pema-banned from being chosen.

we also force multifactor, which isn't bullet proof (heck if you used the same TOTP in 2 sites your hex key could get stolen) but it does go a long way. 2 factor is super annoying though and lots of places only offer crap methods like SMS (I loath to give out my phone number). personally I'd rather use just a strong site-specific password than be forced to provide my phone number.

devinegan 2 years ago | | |

Use a previously breached password database like the one haveibeenpwned offers. https://haveibeenpwned.com/Passwords

jacquesm 2 years ago | |

Because users are idiots. Just like the people that build services. We all get it wrong and we all underestimate the risks. Professionals get phished and people will re-use passwords because it's easy to do and they simply don't understand or perceive the risk involved. They are unaware of how many breaches have already happened and that that password that they think is secure and only known to them is also known to hackers the world over due to previous dumps. It's not as if companies in general never pretended the breaches that they had didn't happen, that's very common practice to the point that it had to be outlawed in the EU.

ChrisArchitect 2 years ago |

[dupe]

Lots more discussion earlier: https://news.ycombinator.com/item?id=38856412