Cyber-breaches: are customers really at fault?

Risk Management

In the aftermath of the 23andMe data breach, Rebecca Harper at ISMS.online delivers a wake-up call to companies holding sensitive personal data

23andMe, a prominent genomics and biotechnology company based in South San Francisco, has placed the blame for a recent data breach squarely on its customers.

The breach exposed sensitive information and prompted the company to send letters to affected customers, suggesting that their negligence in recycling and failing to update passwords following unrelated security incidents was the primary cause.

This accusation has sparked widespread concern among experts and consumers, shedding light on the urgent need for robust cyber-security measures and incident response planning in all consumer DNA testing and health companies, and in businesses generally.

Safeguarding against weak passwords

While users should practice secure password management, companies also have a responsibility to anticipate and protect against weak passwords and potential intrusions. Business owners must establish a robust password policy that ensures traditional employee passwords are a solid first line of defence to safeguard against unauthorised access to company data.

Rigorous cyber-security standards are essential in ensuring customer data remains secure. Companies can mitigate cyber-security risks and protect their operations by implementing zero-trust principles and following established best practices.

In the case of the 23andMe breach, the initial intrusion should not have led to a widespread compromise of customer accounts. Implementing multilayered access controls and activity monitoring can effectively prevent or halt unauthorised access to other accounts and data.

Regulatory frameworks and standards

While 23andMe denied that the data breach resulted from an alleged failure to maintain reasonable security measures under the California Privacy Rights Act (CPRA), the incident again highlights the need for stringent regulatory frameworks governing the storage and use of genetic information.

Health companies are a prime target for cyber-criminals due to the sensitive nature of the data they possess. Hence, companies handling DNA and health data must adhere to clear regulations and uphold the highest data security standards.

ISO 27001, for instance, exists precisely to embed information security at an organisational level through regular risk assessments, access controls, staff training, and constant vigilance. Basic password protection alone is insufficient and misleading as a security measure.

It’s important to note that monitoring compliance within a regulatory framework is a continual process. Your environment is constantly evolving, and the effectiveness of controls can deteriorate over time.

Multifactor authentication as a standard

Given the increasing targeting of sensitive records such as health data, multifactor authentication (MFA) should be considered the baseline for authentication.

This multilayered approach significantly boosts identity verification, making it more challenging for unauthorised access. An essential advantage of MFA is its recognition of the human factor in cyber-security. MFA serves as a safety net, acknowledging that individuals may be vulnerable to social engineering tactics or unintentional security mistakes.

Consumer DNA testing and health companies must not simply recommend MFA; it should be mandatory for all accounts. By default, the heightened login security significantly limits unauthorised access through compromised credentials.

Companies holding sensitive data have no excuse for not implementing MFA as a standard practice. 23andMe seemingly came to this realisation after the incident, forcing all its users to reset their passwords and requiring two-factor authentication for all customers.

Incident response planning

The 23andMe incident also highlights why organisations must have robust incident response plans in place. An incident response plan provides a clear framework for dealing with security events and breaches, facilitating rapid detection and coordinated action to assess and contain the damage.

Quick identification and isolation of compromised systems limits attackers’ ability to move laterally within networks to access additional data. Rapid response also enables faster customer notifications, as mandated legally in many jurisdictions. Poorly handled incident response risks can exponentially increase the overall damage from an attack.

Again, standards like ISO 27001 can help organisations shape their information security planning as it requires formally defined procedures for incident detection, response, and overall event management.

Companies can react decisively in the face of actual attacks by embedding incident response into organisational processes and continually testing response plans. Robust cyber-security governance ensures threats are addressed urgently at an executive level when an incident strikes. They should also address crisis communications for timely and transparent public updates when personal data is involved.

Plans for rapid incident response and communications are non-negotiable for consumer DNA testing, health tech, and other companies holding sensitive personal data. Maintaining trust depends on transparent handling of threats and risks to customer data.

Protecting genetic and health data

Although the exposed 23andMe data did not include personal identifiers, the theft of genetic and health data can have severe consequences, compromising identities and facilitating potentially unforeseen types of fraud and extortion.

This breach is a stark reminder that privacy and security must be built into consumer DNA testing and health tech services from the ground up. Companies in this industry must adopt a transparent and proactive approach to cyber-risks while implementing safeguards to protect customer data.

With so much at stake, these companies must prioritise transparency and proactively address cyber-risks. By embracing multilayered defences, mandatory MFA, and proactive security measures, companies can ensure that customer data is better safeguarded against evolving threats.

Rebecca Harper is Head of Cyber Security Analysis at ISMS.online

Main image courtesy of iStockPhoto.com