In October 2023, personal genomics company 23andMe experienced a significant data breach that

compromised the profile and ethnicity information of approximately 6.9 million users. The breach
was executed through a credential-stuffing attack, where attackers used previously stolen credentials
to access user accounts. Notably, the compromised data included sensitive information such as
names, profile photos, birth years, locations, family surnames, grandparents' birthplaces, ethnicity
estimates, and genetic haplogroups. The attackers targeted specific ethnic groups, including
Ashkenazi Jews and individuals of Chinese descent, raising concerns about potential misuse of
genetic data for discriminatory purposes.

en.wikipedia.org

Connection to Course Material:

This incident underscores several critical aspects of data security and privacy discussed in our course:

1. Vulnerability to Credential-Stuffing Attacks: The breach highlights how reliance on

password-based authentication can be exploited, especially when users reuse passwords
across multiple platforms.

2. Risks of Data Aggregation: The extensive personal and genetic information collected by
companies like 23andMe can become a lucrative target for cybercriminals, emphasizing the
need for robust data protection measures.

3. Ethical Implications of Genetic Data Handling: The targeted nature of the breach raises
ethical concerns about how sensitive genetic information can be misused, potentially leading
to discrimination or stigmatization of specific ethnic groups.

Mitigation Strategies and Recovery Approaches:

To address and prevent such breaches, the following strategies are recommended:

1. Implement Multi-Factor Authentication (MFA): Requiring users to provide multiple forms of

verification can significantly reduce the risk of unauthorized account access.

2. Enhance User Education: Educate users about the dangers of password reuse and encourage
the use of strong, unique passwords for different platforms.

3. Regular Security Audits: Conduct periodic assessments of security protocols to identify and
rectify vulnerabilities in the system.

4. Data Minimization and Encryption: Limit the collection of sensitive data to what is necessary
and ensure that all stored data is encrypted, reducing the impact of potential breaches.

5. Swift Incident Response Plan: Develop and maintain an incident response plan that includes
immediate actions such as notifying affected users, providing support like credit monitoring
services, and collaborating with law enforcement agencies.

By adopting these measures, organizations handling sensitive personal data can strengthen their
defenses against cyberattacks and mitigate the adverse effects of potential data breaches.