Hacker News new | ask | show | jobs
by ticulatedspline 900 days ago
It would be dangerous precedent though. assuming they have a reasonable password policy it seems the breach was in no way related to a failure by 23 and me.

they even offer 2 factor https://customercare.23andme.com/hc/en-us/articles/360034119...

sure they could do better, but are they legally required to be better? They could force 2fa, or 3fa, or 4fa, and disable accounts that go inactive for more than a week and require a validating DNA sample in the mail to reactivate.

if they're "made an example of" what exactly does that mean? at what point is an entity legally responsible for the irresponsibility of it's users?
1 comments
noduerme 900 days ago
I think it's more a question of encrypting data on the backend. The data wasn't stolen by phishing 16 million individual users' passwords. Companies that deal with sensitive genetic data should be subject to the same level of HIPAA compliance as those that deal with medical data, for instance.
link
beej71 900 days ago
Weren't users willingly sharing that data with eachother? Encrypting it wouldn't make sense in that use case.
link
noduerme 900 days ago
I don't actually know. But if a user wanted to share personal data with another user, I'd make a one-time key. I'm relatively certain that they took no precautions against someone with access to their database. In some scenarios for tiny companies that might be okay, if you don't store sensitive data; but not when it might get whole groups of people slaughtered based on their genetic profile.
link
beej71 898 days ago
Might be a hard sell, though. People on Facebook share personal data with their friends in their profiles all the time.
link
noduerme 898 days ago
Ugh. I'm so divorced from social media, I didn't even consider the marketing use case for "share your genetic data with your friends"... I wonder if this hack was just someone scraping an API for that (?!!)

It's gross. On a side note, when I asked my father (an educated man in his 80s with a law degree) why he put our genetic information online without asking us, his response was that he didn't put it online, he mailed it, and it was just his own. I only say this to illustrate that the entire setup here resembled a con game to collect genetic data from unwitting people - which if they represented only 25% of the population would be enough to let you deduce the rest. The abhorrent fact that the was handled so flippantly is just icing on the cake.

link
beej71 896 days ago
In this case, to be fair, it's not "share your genetic data with your friends", exactly.
link