The DNA testing company 23andMe has had a rough few months – first reported in October that data had been breached – and now, the response to those breaches due to customers taking legal action against the company. In an almost bizarre twist, 23andMe has stated in a letter that plaintiffs who had moved to take legal action against the company under the California Privacy Rights Act (CRPA) were indeed not affected by any security breach under the CRPA. The reason? It was all their fault. Legal eagles for 23andMe explained: “23andMe believes that unauthorized actors managed to access certain user accounts in instances where users recycled their login credentials…” It went on to say that users were negligent in failing to update passwords affected by previous data breaches unrelated to 23andMe.
The real kicker, however, was the assertion in the same letter that the “information that was potentially accessed cannot be used for any harm.” Nick Rago, field CTO at Salt Security explained why this statement is foolhardy:
“In this age of sophisticated social engineering attacks, any claim that a data breach can not cause “pecuniary harm” because it did not consist of social security numbers, driver’s license number, or credit card data has to be done tongue in cheek. In 2023, we saw how social engineering tactics used as a first wave of an attack campaign have wreaked havoc for not only consumers, but for large corporate entities as well.”
He went on to say: “Exposing any genealogy or relationship information would be quite useful to an attacker when building a targeted social engineering attack, whether it be targeted at scamming a consumer, stealing an ident ..
Support the originator by clicking the read the rest link below.
