back to article UK and Canada's data chiefs join forces to investigate 23andMe mega-breach

The data protection watchdogs of the UK and Canada are teaming up to hunt down the facts behind last year's 23andMe data breach. The two-dog wolfpack of the Information Commissioner's Office (ICO) and Office of the Privacy Commissioner of Canada (OPC) will look at whether the biotech biz's breach caused any customer harm, …

  1. Cav Bronze badge

    Just how were they supposed to detect the so-called "intrusion", which it wasn't, when the attackers were logging in using credentials that the users had used on other breached online services?

    If I use the same passwords on all online accounts and people within a system to which an account has access share their genetic data with me, then they and I are at fault.

    The 23 and Me customers are to blame. I belong to a number of geneaology groups and people are still constantly whining about having to go through the "unnecessary" process of MFA, despite so many of them having opened themselves up to this sort of attack.

    This is no different to the Snowflake attack but the tone of articles covering the two incidents is very different. Why? They are exactly the same thing.

    1. Anonymous Coward
      Anonymous Coward

      "Hey, look, a thousand US customers just logged in from this one Russian IP address. Must be a cruise ship or something, nothing to worry about."

      1. Cav Bronze badge

        These criminals are not stupid. I seriously doubt one IP would have been used.

        1. Bendacious Bronze badge

          Your comment implies that you think that every login worked. There would have been hundreds or thousands of failed attempts before a successful login. The attacker has a database of email addresses and passwords and is running through them to find one that has been reused on 23andMe. They may have used more than one IP address but there is no way they used a different one for each attempt. Running some web servers myself, these people tend to use the same IP address for half an hour and then rotate. It is so easy to spot a credential stuffing attack. If someone tries to log in and fails three or four times - same IP address, different username - that IP address gets automatically blocked. It doesn't even need to be permanently blocked, just for a few hours. It then becomes impossible to perform this type of attack.

          This is complete negligence on the part of 23andMe. The most basic monitoring of login attempts would have prevented this. I do this on websites that have almost no value to attackers because it is so easy to do. This type of attack has also been covered widely in the press in the past, so no one running a website can claim they never knew it was a possibility.

          1. Anonymous Coward
            Anonymous Coward

            Yup. fail2ban is stock software that does this - tell it how many failures to put up with, and after that the IP is banned for a defined period of time.

            Bonus points if it's configured to ACT like the login was attempted and failed, but will reject even correct logins from that IP for that period of time. Then the attacker can't tell if they're not guessing the password right, or if they've been banned.

            1. Bendacious Bronze badge

              Wow fail2ban can block IPs and still pretend to be trying the login - that is brilliant! I love the idea of wasting these people's time. I'm testing it on my websites right now, thanks anon.

  2. Woodnag

    Information Commissioner has a time machine!

    John Edwards, UK Information Commissioner, said: "People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place. This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected."

    Difficult "to ensure the personal information of people in the UK is protected." after the fact, shirley?

    1. Yet Another Anonymous coward Silver badge

      Re: Information Commissioner has a time machine!

      >People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place

      Didn't they already get caught being "very helpful" to police fishing for DNA crime scene matches

      1. Michael Wojcik Silver badge

        Re: Information Commissioner has a time machine!

        All I found in a minute or so of research are claims that they'll only release information to comply with a warrant, subpoena, or court order.

        Personally, I wouldn't use any of these firms in the first place; I don't trust their intentions or their practices.

  3. Cav Bronze badge

    "23andMe also took the curious step of blaming their own customers' poor security habits for allowing the breach to unfold – a bold PR move, for sure, and one we don't often see, perhaps for good reason."

    23andMe were quite right.

  4. Anonymous Coward
    Anonymous Coward


    How was this possible with 2FA ?

    1. Anonymous Coward
      Anonymous Coward

      Re: 2FA

      Per the article, they only required 2FA after the breach.

  5. Anonymous Coward
    Anonymous Coward

    23andMe has always been

    what in French is called "piège à cons". It can loosely translated as a trap for stupid persons but I find the translation rather mild to my taste.

    Give away all your genetic profile just for fun. What were their customers thinking ? It seems 23 in the company's name shows the average IQ detected in their customers.

  6. Tron Silver badge

    UK and Canada's data chiefs smell some free cash.

    Regulators are now part of the wider cash grab, alongside all the bus lane, LTN and ULEZ fines, now that policies like Brexit and interest rate rises have shafted the economy.

    It was tax. Then it was tax plus fees. Now it is tax plus fees plus fines. The state will chase after the tech industry every chance it gets.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like