Vancord CyberSound

095 - Personal Privacy vs. Progress: Implications of the 23andMe Leak

Vancord Season 1 Episode 95

Recent news has surfaced concerning the popular DNA Testing company 23andMe, as a security breach has compromised the data of thousands of users. This conversation delves into the consequences of such occurrences and examines the varying perspectives surrounding user accountability versus the company's obligation to protect sensitive information.


In this segment, Jason and Michael are accompanied by Vancord's Rob McWilliams, Data Privacy Consultant, and Brian Brehart, Information Security Officer, as they navigate the evolving landscape of data breaches and address the possible legal implications.

______________
Stay up to date on the latest cybersecurity news and industry insights by
subscribing to our channel and visiting our blog at https://www.vancord.com/💻.

Stay Connected with us 🤳
LinkedIn: https://www.linkedin.com/company/vancord
Facebook: https://www.facebook.com/VancordCS
Instagram: https://www.instagram.com/vancordsecurity/
Twitter: https://twitter.com/VancordSecurity

00:02

This is CyberSound, your simplified and fundamentals-focused source for all things, cybersecurity.


Jason Pufahl  00:11

Welcome to CyberSound. I'm your host, Jason Pufahl, joined today as recently, by Michael Grande, our CEO, and Rob McWilliams today, Data Privacy Consultant, who's, we've worked together now for the better part of four years, Rob, so it's a pleasure to have you back.  And Brian Brehart, who is one of Vancord's Information Security Officers on our vISO team. So Brian, thanks for joining. 


Rob McWilliams  00:27

Thank you, Jason. 


Brian Brehart  00:32

Anytime. 


Jason Pufahl  00:34

So we've had now some good banter around this for a half hour as we sort of prepare for this. But we're going to talk a little bit today about the, I guess the data leak, I've seen it called breach, I've seen it called it leak. But, we'll stay with leak today. 23andMe had initially reported roughly 14,000 user records were accessed, as a little bit more data came to light, I think that bumped up to approximately somewhere between 6 and 7 million. And the initial reports really were, the 14,000, were a result of password reuse. So essentially, users that had used a password on another site, subsequently used it then on the 23andMe site. They contend that the the passwords were compromised somewhere else. And they were basically, passwords stuffed or reused to try to try to access data in 23andMe. And I think they've actually filed sort of a formal response via, a legal form of response that says, it's not really our fault, users should have taken more responsibility to protect their credentials. And it's a shame that the data was accessed. But, you know, a significant responsibility lies with the user. I think that's what we really should spend some time exploring today. Because it's a it maybe it's an it's an it's an atypical response for these types of things. So, so I'm going to throw that out there. And I'm wondering, anybody have a have a thought or a comment to start with?


Brian Brehart  02:11

Yeah, actually, I do. So this is something that in my career as a security professional, we've debated in roundtable discussions, we debated in on premise, you know, sitting in the office, gone to, you know, all the all the things that security professionals go talked about things. And it's, it's kind of this, this idea that the the users are going to one day, just understand how serious this is, and take it into their own hands to make sure that their passwords are long and complex, and they use password managers. And the reality is they're not, they're not going to do this. So we as security professionals need to acknowledge the reality and do everything we can, especially with a company like 23andMe, where whether it's right or wrong, the data they collect, people are terrified of that getting out. And so at least from a marketing perspective, they need to make sure they can't just comply. They need to go above and beyond and understand that we can't rely on users we just, and and it's not their job. It's not user's job. So we have to do ours. So that's, that's mine in a nutshell.


Michael Grande  03:48

Go ahead, Rob.


Rob McWilliams  03:49

I think there are two ways of looking at this. One is the common sense approach. And one is the legal approach. And they're not always the same thing. You've articulated the common sense approach, I think, Brian, that and most reasonable people would agree with you. The interesting thing is I think that the legal situation probably coincides with the, in this case with the common sense approach. This is undoubtedly data that is regulated by privacy laws, whether in the United States or overseas. Europe, GDPR, places, places and regulations like that, as you point out, it's sensitive data. It's information about your ancestry, who you are related to you, where you come from. This is this is not inconsequential, data. And under, under those privacy laws, companies have a general obligation to maintain reasonable security standards. Now you can point perhaps and say it or you use it in your terms of use, you know, you have to maintain a high quality password, or whatever. But even if that is true and acceptable, the one thing in this case, if I've understood it correctly that kind of nullifies that, is that one user's bad passport, password, sorry, gave access to other users data. So I could have a Fort Knox password on my account, but it doesn't protect my data, because 23andMe has this function that allows you to share information and,


Jason Pufahl  05:42

Bring their relative sharing feature, right, don't they call it that? 


Rob McWilliams  05:45

Right. And that's something they've developed as part of their commercial service. And so I, I'm, I'm with you. And I think the law is with you that 23andMe cannot just point at the users and say, you haven't maintained strong enough password. 


Michael Grande  06:01

Yeah, and my point was, was, you know, sort of analogous to that, which was, there's an implicit expectation of additional security protocols and standards, when, you know, some cases collecting DNA information, very personal, really, to a certain extent, there's an unknown, you know, future for what that data and where that data can go and what it can be used for, in many cases. And I think that there's a sort of a fad. I'll just say it's a trendy thing, right, the Ancestry.com, 23andMe, let's expand and see how far, you know, our connections go in family members, and in our, you know, sort of our heredity, and let's learn more, which is great, information is great. But I think Brian very clearly put, you know, the expectation of privacy and protection is there. And just because there's some small print that says the obligation is with the user, the standards need to be higher. And the expectation that the clients use, I mean, just 14,000, turning into 6.9 million, simply because of this feature that expands, they've only got 14 million accounts. And that's not a small number, but that's an incredible, that's half of their user base. And I think that that's, you know, it's really scary as a consumer, you know, I, I'd be really concerned about what this means and what their internal protocols and their systems are, if their first reaction is, it's not our fault. You were, you know, you client, it's, you know, your accounts were lazily set up or protected. It's on you.


Jason Pufahl  07:32

And so I think that's, I think that point that Rob made, which is the the decision or the choice, by a small percentage of users had a great impact on 50% of users, right. So I think 23andMe said that they did not require multi-factor, but they had offered it as an option, and people didn't avail themselves to it. I think you have to enforce things like that, right? Because you can't really permit somebody's bad choice to have that kind of an impact on the broader population. I think that's really one of the egregious things here.


Brian Brehart  08:04

Yeah, that's, and that's to, and I'm glad Jason, you made that point, is that they made it an option. And, you know, I have to be the way I've always looked at, like, when you write policies, when you write processes, when you put together these things, I always look at security, like raising children, that if you, because they don't know, and that's the thing, users don't have to know, we would like them to, we put out awareness training, you know, every tech magazine, every social media has, hey, ways to protect your password, ways to protect your account. But at the end of the day, they don't read them. I mean, if you've ever been on social media, there's people still kind of proud that they don't know how to set up the clock on VCR, right? And it's like, okay, we're in a technological age. And, you know, but that's the thing is you have to accept that this is what's going to happen. So you have to do things like you have to force it. And if the users complain, fine, but that's why you have support teams that will help take them through the process. Then you also have marketing things, to explain, hey, this is to protect your info. We're doing this for you. And you just you just take the hit and you know, and so that's the thing is that it's better. I mean, think of it this way, it's better to have to take an irate user support call. I don't know how to create my password, then have to go through this media blitz about, you lost all these people's information and now you got to backtrack and you've got to, you know, do some duck and cover. I don't know, I'd rather have just my help desk, help someone then have to do this so, 


Jason Pufahl  10:01

And the companies know, so the users may not recognize the risk of password reuse. But the companies understand it. I know that when I do security awareness training, and I ask people to raise their hand, if they have a unique password for every website or company they interact with, and zero hands go up, every single time I asked a question, I know. So 23andMe, I think had a responsibility to recognize that and better protect those accounts. And I think that's, that's the problem.


Rob McWilliams  10:32

I absolutely agree. I mean, they, other companies that are arguably handling less sensitive personal data, do force a certain standard of password, and do force regular resets and sometimes enforce some level of two-factor authentication. So why a company handling this sort of data didn't I think is a very valid question. I think the other thing I noticed in one of 23andMe's responses or outputs was that no harm was going to result from this breach. And they said, let's not, this is not data that's going to lead to you losing money, you know, it doesn't involve, it's not going to lead to identity theft, or whatever. That may be true. But it's a rather old fashioned view, I think of how personal data can be misused. Yeah, you're probably not going to have your bank account drained because of this breach. But revealing your relationships and your ancestry can cause harms. That's that's documented, there were loads of stories about people finding out they're not related to who they thought they were related to. And related to people they didn't think they were related to.


Michael Grande  12:00

Harm is relative to sort of keeping up the trend.


Rob McWilliams  12:03

This is sensitive data. And I, does look to me, like they have serious questions to answer about whether they've protected it adequately.


Brian Brehart  12:14

And to your point, Rob, this time. And at this moment, that's the one thing about security that we know is that we have to still monitor and maintain, because we don't know what this could, there could be another way this could be used. And so, that we haven't thought of or, you know, that will say the attacker hasn't tried yet. And you know, that's the first rule of security. You know, it's not if, but when? 


Jason Pufahl  12:53

And and I think we all see, you know, the attackers are really creative in how they use this data, like they go, the ransomware is something that, frankly, I didn't conceive of 10 years ago, somebody did, and you know, here we are, right. So somebody will think about some creative way to utilize this data. I mean, they're trying to charge you or they're offering the opportunity to this to this impacted population to pay between $1 and $10, to have their data expunged, like, alright, they're your that's your sort of standard. Yeah, how do I make money off of this? But, the data has other uses for sure, so yeah. I mean, I think we're kind of coming to an end. One thing I wanted to ask was, you know, Brian, do you actually know how to set the time on a VCR? I don't know that, I don't know that anybody knows how to do that?


Brian Brehart  13:43

Well, and, you know, to that point, I wonder what we as security professionals, I mean, I know we all if you're if you're a working individual, everybody gets awareness training, or at least they should, right? But what about the people who aren't? How do we, you know, the the article mentioned, the laundry list of ways people can protect their passwords, and I went to the, to the dark reading article it referenced, there's two, use long and complex and use a password manager. To me, that's not a laundry list. Now, I use a password manager, but I'm a security professional. How do we teach people to use because that is to me, if not the most effective, one of the most effective ways of combating this problem because you don't have to remember it. They're portable, right? But, you know, I tried to get my family and friends to use it and they're like, ah, it's just it's just too complex. I don't get how this works.


Jason Pufahl  14:49

And that's the crazy part because they make they make creating a password easier, they make accessing a password like, honestly, I think it's a world of convenience. 


Michael Grande  14:57

Oh, for sure. Yeah, there's an adoption sort of hinderance here, you know, it feels so onerous. Well, it's going to take me so long to figure out how many passwords I have and ultimately get to those sites. But once you start your natural progression of visiting different websites, or accessing different applications, just automatically takes over, makes the process so much easier. 


Rob McWilliams  15:20

I think you, I think your point Brian is a very good one that this is a consumer oriented organization. So the people who are using it are not getting nagged by the company, to create a certain type of password or force to change it. These are just, you know, folk who may not be getting this advice, 


Jason Pufahl  15:40

In fact, probably aren't, ya know.


Brian Brehart  15:44

Sounds like another CyberSound episode, on how to how to use your password manager.


Michael Grande  15:53

Some How To's, yeah.


Brian Brehart  15:55

Do we have to do a recommendation? Are we allowed to have recommendations?


Jason Pufahl  15:59

Yeah, we're not sponsored by anybody. So we can say anything we want.


Brian Brehart  16:04

Because I use a bunch. One Password is one I use, and it's fantastic.


Jason Pufahl  16:08

Yeah. So you know, it LastPass has had its share of documented issues. And, frankly, I know a lot of people who have to who still have confidence in that tool they did they didn't, their their credentials weren't accessed in spite of the problems that they had. And Bitwarden is probably another one that's that's gotten a little bit more popular, I think, partly because there's a really kind of pretty robust free option there. 


Rob McWilliams  16:33

I have a little green post it note on my laptop, password one, password three, to my really good one, pass one, you know, no one's gonna guess that,


Jason Pufahl  16:45

If you substitute a zero for the "O", right. So obviously, those are all things not to do. That's the laundry list of bad exam.


Michael Grande  16:52

Right, right.


Brian Brehart  16:54

So that's another episode. 


Jason Pufahl  16:55

That's a good idea. Brian, I think we probably should do that. We tend to be a little bit more strategic. But I think you're right, people probably need the simple, how do I actually protect myself against it? Because it's like, the keys to your house. Right? There's nothing more important than protecting those, you want to protect your digital credentials as well. Well, guys, thanks for joining. I think this is an interesting topic, honestly. And and I'll be really curious to watch where any sort of this legal response goes, because it's one I wouldn't have, its position I wouldn't have expected them to take. I'm kind of hopeful they might back off of it. But if not, then we get to see,


Michael Grande  17:36

The more entrenched they become, maybe the more ridicule they're subject to of course.


Jason Pufahl  17:39

Yeah, for sure. So if anybody wants to if anybody has info on this, that maybe we didn't touch on and wants to drop us a note. You know, feel free to comment, certainly in YouTube, or any of the common places. I've been told now that we need to tell people to like, or to comment in some way because that actually helps a lot with people, like and share, like and share what you say Brian, mash that like button? 


Brian Brehart  18:02

Smash that like button. 


Jason Pufahl  18:03

So that's what we're gonna ask people to do, our producer is cringing, I'm not sure he loves that so much. And as always, we appreciate people listening. We hope you got some value out of this, Rob and Brian in particular. Thanks for joining today. Appreciate it.


Rob McWilliams  18:21

Thank you. 


Brian Brehart  18:22

Thanks for having me.


18:24

We'd love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn. And remember, stay vigilant, stay resilient. This has been CyberSound.