720-891-1663

Why Don’t Companies Like 23andMe Detect Hackers for Months?

The DNA testing company 23andMe has a bit of a troubled past. Initially they said that their recent cyber attack affected only 14,000 of their 14 million users and, in a sense, this is true. What is also accurate is that the hackers didn’t take advantage of bugs in their software, it took advantage in bugs in their customers.

Customers love to reuse passwords; even when those passwords get compromised in other breaches. In many cases, users don’t remember where they are reusing passwords.

In the end, 23andMe says that the DNA and other information for about half of its customers – almost 7 million people – was compromised. That information includes name, birth year, percentage of DNA shared with relatives and other information.

In an effort to blunt the legal force of the breach, after the fact, 23andMe changed their terms of service to outlaw mass arbitration and, instead, force each person to submit to individual arbitration. Their objective is to make it very difficult to hold the company accountable. Lawyers representing the victims are fighting back and forcing 23andMe to defend changing their terms of service to their advantage after the breach in court.

23andMe admitted that hackers started breaking into customer accounts in April of last year and continued to do so at least through September. The company said that they finally noticed what was happening to their customers in October, when the hackers started offering the stolen data for sale on Reddit and another hacking forum. They did not notice the data from sale on a different hacking forum in August.

While 23andMe has not explained why they did not notice the attacks for five months, the answer is likely very simple. They were not looking for the right things.

As a business you can log a variety of events – or none at all. You can also alert on a number of events or, again, none at all. Was 23andMe negligent? That is up to the courts to decide (or, possibly, a private arbitrator likely paid for by the offender).

But it is fair to say that if you don’t look for the right events, don’t alert on the right events and don’t investigate those events, hackers can roam freely, possibly for ever.

Even if you hire a third party security operations center or use a managed endpoint monitoring service, that might not help. You still need to be looking for the right things.

If you need assistance with this or want a third party to review what you are doing, please contact us.

Credit: Tech Crunch and Tech Crunch

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *