Deva on Breaches boosted:
DevaOnBreaches: Boosting Lorenzo Franceschi-Bicchierai (lorenzofb): NEW: More bad news for 23andMe.
The U.K. and Canada’s privacy watchdogs have launched a joint investigation into last year’s hack, which impacted 6.9 million 23andMe customers’ personal information.
People “need to trust that any organisation handling their most sensitive personal information has the appropriate security and safeguards in place,” said John Edwards of the U.K.’s Information Commissioner’s Office (ICO).
https://techcrunch.com/2024/06/10/uk-and-canada-privacy-watchdogs-investigating-23andme-data-breach/
The article, titled UK and Canada privacy watchdogs investigating 23andMe data breach goes in to details on the joint investigation which will ask the biggest question on whether 23andme followed proper security measures.
It also goes in to how 6.9 million people were targeted, which, according to the article, was about half their user base.
Apparently, the company didn’t detect the actors till September of 23, and it started in April of that same year. That’s roughly six months!
The only reason they knew anything about it was because of their unofficial reddit and the hackers posting there as well as a well-known hacking forum.
That’s probably got to be one of the worst ways to find out you’ve been owned, and we haven’t seen anything since the breach notice which I blogged about and kept people up to date on.
- Here’s more news on 23 and me that may not have been known before January 2024
- We’ve got an update on 23 and me and its still not great over there December 2023
- 23 and me owned, again: possibly a credential stuffing attack October 2023
The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location.
The actors used Password Spraying to get at the data which may include using passwords that belonged to other sites they used.
23andMe did not send comment to Tech crunch at the time of writing.