To be clear, the victims of this breach may be targeted for much more than just identity theft or monetary losses, given the way the stolen data has been deployed. This was the first ever industrial-scale attempt to target people of a specific ethnicity using genetic data to identify and "doxx" them for potential hate crimes.
One could easily see, e.g. a citizen of a middle eastern country who had some surprising Ashkenazi background being targeted for death as a result of this.
Exactly. The number of people making light of this in this thread is unsettling, to put it mildly. If that's the 'tech savvy' crowd then you have to really worry about everybody else. The parallels with the Dutch citizen registry story from WWII are just too much to ignore.
We'll see how the EU data protection offices feel about that. Just imagine having something like this happen and then giving your customers the finger. The lack of ethics is impressive. I sincerely hope they get fined into oblivion as a nice example to the next medical company that doesn't understand their responsibilities towards their users.
even if there's no financial compensation for the victims, it makes sense to make an example out of a company that doesn't actually take data privacy and security seriously.
It would be dangerous precedent though. assuming they have a reasonable password policy it seems the breach was in no way related to a failure by 23 and me.
sure they could do better, but are they legally required to be better? They could force 2fa, or 3fa, or 4fa, and disable accounts that go inactive for more than a week and require a validating DNA sample in the mail to reactivate.
if they're "made an example of" what exactly does that mean? at what point is an entity legally responsible for the irresponsibility of it's users?
The allegation is that they weren't taking reasonable steps to safeguard customer data under California law, the problem is that it's not stated what reasonable is. What's needed here are clearer regulations.
If some authority doesn't roll out the guillotine for this one then we should all just give up believing citizens are important in the eyes of the state.
From what I understand, the hack was due to a large number of people re-using passwords and the company doing nothing to prevent or detect this.
Security practices and their ludicrously bad response aside, I cannot fathom why someone would send their literal DNA to a company and then take no steps to secure that information. Is technical literacy really this poor amongst the general population? Even my retiree dad who can't reliably turn on his TV on knows about MFA.
> the company doing nothing to prevent or detect this.
How would they do that?
I'm not defending 23andMe but I really don't see how a service can detect that the password I chose on their website is the same I chose on a different one. Not without: a) them knowing what my chosen password is; and b) them knowing my passwords on other websites.
Because users are idiots. Just like the people that build services. We all get it wrong and we all underestimate the risks. Professionals get phished and people will re-use passwords because it's easy to do and they simply don't understand or perceive the risk involved. They are unaware of how many breaches have already happened and that that password that they think is secure and only known to them is also known to hackers the world over due to previous dumps. It's not as if companies in general never pretended the breaches that they had didn't happen, that's very common practice to the point that it had to be outlawed in the EU.
noduerme|2 years ago
https://www.nbcnews.com/news/us-news/23andme-user-data-targe...
One could easily see, e.g. a citizen of a middle eastern country who had some surprising Ashkenazi background being targeted for death as a result of this.
jacquesm|2 years ago
jacquesm|2 years ago
ticulatedspline|2 years ago
chii|2 years ago
ticulatedspline|2 years ago
they even offer 2 factor https://customercare.23andme.com/hc/en-us/articles/360034119...
sure they could do better, but are they legally required to be better? They could force 2fa, or 3fa, or 4fa, and disable accounts that go inactive for more than a week and require a validating DNA sample in the mail to reactivate.
if they're "made an example of" what exactly does that mean? at what point is an entity legally responsible for the irresponsibility of it's users?
tjpnz|2 years ago
anotherhue|2 years ago
I think we all know the answer already.
synicalx|2 years ago
Security practices and their ludicrously bad response aside, I cannot fathom why someone would send their literal DNA to a company and then take no steps to secure that information. Is technical literacy really this poor amongst the general population? Even my retiree dad who can't reliably turn on his TV on knows about MFA.
cassianoleal|2 years ago
How would they do that?
I'm not defending 23andMe but I really don't see how a service can detect that the password I chose on their website is the same I chose on a different one. Not without: a) them knowing what my chosen password is; and b) them knowing my passwords on other websites.
jacquesm|2 years ago
ChrisArchitect|2 years ago
Lots more discussion earlier: https://news.ycombinator.com/item?id=38856412