TechCrunch: 23andMe tells victims it’s their fault that their data was breached
But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”
“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.
Zavareei said that 23andMe is “shamelessly” blaming the victims of the data breach.
In the wake of the staggering data breach at 23andMe, where hackers accessed the genetic and ancestry data of nearly half of the company's customers, we have a difficult question to answer: Who actually bears the responsibility for cybersecurity?
While 23andMe’s attempt to entirely shift the blame onto victims for using recycled passwords is both ill-advised and insensitive, it does cast a spotlight on a rarely discussed aspect of digital security — the shared burden between companies and users.
The notion that companies alone are the bulwarks against cyber threats is a comforting but dangerously simplistic view. The 23andMe breach, like many before it, underscores the harsh reality that no digital fortress is impregnable. Hackers exploited weak user passwords to access 14,000 accounts, which then opened the floodgates to millions more through the DNA Relatives feature. This chain reaction of vulnerability is possible because of an uncomfortable truth: cybersecurity is a complex ecosystem where company protocols and user practices are inextricably linked.
Hassan Zavareei, representing the victims of the breach, rightly points out that blaming customers for a failure that ultimately lies in the company’s domain is untenable. And that's a reasonable legal position. But in practice, in a world where the data has already been breached, this does not unring the bell, and it does not absolve users of their own cybersecurity responsibilities. The harsh reality is that the use of recycled passwords - and the fallibility of humans in any security system - is a gaping vulnerability in our digital armour, one that we often ignore. As users, we must understand the critical importance of robust password practices and the adoption of available security measures like multi-factor authentication.
Proactively, companies must design systems that encourage strong security habits among users, fostering a collective cybersecurity ethic. Companies like 23andMe must prioritize stringent security measures and educate users on best practices. The introduction of mandatory multi-factor authentication post-breach is a step in the right direction, albeit a reactive one.
A dual focus is required: Companies must build resilient systems and foster a culture of security awareness, while users must adopt a more vigilant and informed approach to protecting their digital identities. The protection of our data is a corporate responsibility, but it is also a shared burden.
It's worth pointing out that the root of user responsibility in the 23andMe breach extends far beyond password management. It traces back to the very act of users uploading sensitive DNA data to the platform. This initial step, frequently undertaken without fully grasping the implications, exposed not only the individuals but also their relatives and families to potential cyber threats. By opting to share intimate information, users unwittingly expanded the attack surface for cybercriminals - which brings us right back to the broader and increasingly pressing issue of digital literacy and awareness.