Source: michelmond via Alamy Stock Photo
Up against an onslaught of lawsuits, 23andMe is denying liability for millions of users' genetic records leaked last fall.
In a letter sent to a group of users suing the company obtained by TechCrunch, lawyers representing the biotech company laid out a case that users were to blame for whatever data might have been exposed.
As was revealed last month, hackers didn't breach the company's internal systems. Instead, they obtained access to about 14,000 accounts using credential stuffing, then accessed data from nearly seven million more through the site's optional DNA Relatives sharing feature.
The argument raises an important question for courts, as well as the broader cybersecurity industry: What share of responsibility lies with the user, versus the service provider, when credentials get stuffed?
"Everyone should know better than to use an unhygienic credential," says Steve Moore, vice president and chief security strategist at Exabeam. "But at the same time, the organization that provides the service ought to have capabilities to limit the risk of that."
23andMe's Rationale
The user group suing 23andMe argues that the company violated the California Privacy Rights Act (CPRA), the California Confidentiality of Medical Information Act (CMIA), and the Illinois Genetic Information Privacy Act (GIPA), and committed a number of other common law violations.
To the first point, the company's lawyers explained, "users negligently recycled and failed to update their passwords" following prior incidents affecting their logins, "which are unrelated to 23andMe. Therefore, the incident was not a result of 23andMe's alleged failure to maintain reasonable security measures under the CPRA." Similar logic applies to GIPA, though they added that "23andMe does not believe that Illinois law applies here."
23andMe has not necessarily lived up to all of its lofty security promises. With that said, there were account security features available to customers which might have prevented credential stuffing, including two-step verification with an authenticator app. And, following the company's initial discovery and public notice, it implemented a series of standard security remediations, including notifying law enforcement, terminating all active user sessions, and requiring all users to reset their passwords.
"Equally important, the information that was potentially accessed cannot be used for any harm," the lawyers wrote. "The profile information that may have been accessed related to the DNA Relatives feature, which a customer creates and chooses to share with other users on 23andMe's platform," and "the information that the unauthorized actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, driver's license number, or any payment or financial information)."
The nature of the stolen data also discounts CMIA, the letter explains, as it "did not constitute 'medical information' even though it was individually identifiable)."
Who Is Responsible When Credentials Leak?
23andMe accounts are not uniquely insecure. "Any organization you can think of that has a customer portal, whether they want to admit it or not, has this problem, just not always at this scale," says Moore.
Thus a broader, deeper issue arises. Any one reused password can be blamed on its user, but, knowing that the practice is endemic across the Web, does some responsibility for protecting accounts then fall to the service provider?
"Liability, I think, is shared. And that's not a fun answer," Moore admits.
On one hand, users have a laundry list of best practices they can rely on to make account takeover not impossible, but at least very difficult.
At the same time, Moore points out, companies need to exert their own power to protect their customers, with the many tools they have at their disposal. Beyond offering (or requiring) multi-factor authentication, sites can enforce strong password thresholds, and provide notice to users when logins occur from unusual places or at unusual frequencies. "Then from a legal standpoint: What do your terms of service and acceptable use policy say? When a user accepts an agreement, what do they agree that their hygiene is going to be?" he asks.
"I think there should be a customer's bill of rights on this that says if you're managing sensitive personal information, customer portals must offer a way to check for strong credentials, a way to check against known breaches, and a way to make sure you have adaptive authentication or multi-factor that doesn't use fallible means like SMS. Then we can say: this is the minimum requirement," he says.