A threat actor has recently been discovered selling data belonging to nearly one million customers of DNA testing company 23andMe. This alarming revelation has led to concerns about potential anti-Semitic motivations behind the data theft. According to reports, the threat actor is selling the information for $1,000 per one hundred profiles, or $100,000 for one hundred thousand profiles. The database in question is titled “Ashkenazi DNA Data of Celebrities,” indicating that it mainly focuses on individuals with Ashkenazi Jewish ancestry.
Ken Westin, Field CISO of Panther Labs, finds the ethnic targeting in this incident troubling. He states that “the attackers specifically targeted an ethnic group and exposed sensitive information about individuals based on ethnic heritage.” Westin goes on to express his concerns about the slow pace of regulation and law enforcement actions regarding the use and protection of DNA data, stating that this breach is just the beginning when it comes to the breach of DNA data.
According to a spokesperson from 23andMe, the attack appears to have been carried out through a technique known as credential stuffing. This involves using login credentials gathered from data leaked during previous incidents involving other online platforms where users have recycled their login details. However, it is worth noting that the attackers were also able to gather information from compromised accounts that had opted into 23andMe’s DNA Relatives feature, which enables users to find and connect with their genetic relatives.
The use of credential stuffing is not a sophisticated technique and can be easily thwarted with multifactor authentication or other verification methods. However, many consumers do not have the resources or knowledge to implement such security measures. Lior Yaari, CEO and co-founder of Grip Security, emphasizes that enterprises invest heavily in identity security, but individuals often reuse their personal passwords for work, which can lead to compromises in corporate systems.
Tyler Farrar, CISO at Exabeam, advises organizations to focus on addressing the challenges associated with compromised credentials and distinguishing between normal and abnormal behavior. He stresses the importance of educating users about safe credential practices, ensuring complete network activity visibility, and implementing robust technical safeguards such as multi-factor authentication. Farrar also recommends establishing a clear behavioral baseline for users and devices on the network to detect deviations that may indicate compromised credentials.
The underprotection of DNA data is another significant concern raised by experts. Westin comments that DNA data has largely been treated like personally identifiable information (PII) and lacks proper regulation and protection. Colin Little, a Security Engineer at Centripetal, highlights the potential consequences of genetic ancestry results being stolen, including data extortion and identity theft. He argues that this breach, like many others, could have been prevented with a proactive approach based on intelligence-powered cybersecurity and effective security awareness programs.
In conclusion, the sale of customer data from 23andMe highlights the need for stronger regulations and protections in the DNA mapping industry. The incident also emphasizes the importance of implementing robust security measures and educating individuals about safe credential practices. As the threat landscape continues to evolve, it is crucial for organizations and individuals to stay vigilant and take proactive steps to protect sensitive data.