All News & Press

Lucy Burrows comments on 23andMe’s response to its data breach in ITPro

Associate Lucy Burrows provides insight on the 23andMe data breach and highlights the danger of firms blaming consumers instead of their own insufficient data protection practices in ITPro.

Lucy’s comments were published in ITPro, 4 January 2024, and can be found here.

“The hackers used a technique known as credential stuffing. Whilst the technique has been met by a distinct lack of prosecutions in the UK, in 2021 the French Data Protection Authority imposed a fine of €150,000 on a data controller and €75,000 on a data processor for failure to protect customers’ personal data against credential stuffing, demonstrating there is a level of accountability imposed on the data controller and processor with regards to preventing such attacks.
 
“There are three specific layers of measures 23andMe could have implemented to prevent the credential stuffing attack: bot detection, breached password detection, and multi-factor authentication.

“At this stage, it is unclear whether 23andMe had these security measures implemented at the time of breach, although the company has since made multi-factor authentication mandatory. You would think, given the sensitivity of the data that the company handles, that these security measures would be in place already.
 
“It is extremely damaging for 23andMe to blame their customers, especially in a climate where consumer trust in how companies safeguard data is rapidly eroding. This seems to be an attempt to discourage customers from pursuing legal action against them, which we have already seen through updates to their US terms of service.

“23andMe is certainly not justified in its response. Instead of blaming customers, the company should take responsibility, be transparent about the breach, and work to regain customer trust through improving their security measures.”

Maltin PR

Recent Posts

KP Law Highly Commended at the Modern Law Awards 2024

We are very pleased to share that KP Law has been Highly Commended at the… Read More

9 months ago

Keller Postman UK merges with Lanier, Longstaff, Hedar & Roberts to form specialist collective redress law firm KP Law Limited

Today Keller Postman UK Limited and Lanier, Longstaff, Hedar & Roberts LLP announce their merger… Read More

9 months ago

What is group litigation?

Group litigation, also known as class action or group legal action, is a process where… Read More

9 months ago

What’s been happening in January 2024?

What’s been happening in January 2024? In our regular monthly update, we share the latest… Read More

9 months ago

What is talcum powder cancer?

What is talcum powder cancer? Here, we explain what talcum powder cancer refers to and… Read More

10 months ago

Nathaniel Barber traces Birmingham City Council’s history of pay discrimination in Solicitors Journal

Senior Associate Nathaniel Barber discusses the equal pay claims surrounding Birmingham City Council and what… Read More

11 months ago