[jacquesm]

That they should have offered (and enforced) 2FA from day #1 because users will re-use passwords because they are utterly unaware of the implications of doing that. A company the size of 23andme in charge of a very large amount of medical data and PII should be aware of those implications. To blame the users here is beyond stupid and irresponsible.

You don't engineer a service like 23andme without doing some risk assessment and one of the risks they should have identified and mitigated is password re-use by Joe Average because Joe Average (and his mom) were exactly the demographic that they targeted. Anybody that was somewhat sensitive to the privacy risks wouldn't have used the service in the first place.

[ticulatedspline]

they do offer 2fa. Personally I do blame the users, it's like if I robbed your house and then you sued the city because there wasn't a law that required you to put steel bars on your windows and have 3 locks and your argument is "I moved into a area where crime could occur, the city should have known I was too stupid to secure my stuff, we want a nanny state!"

as long as they weren't actively inhibiting security by not offering 2 factor or disallowing strong passwords, I don't think it's legally a company's responsibility to make their users eat their vegetables. good idea? maybe, but not required.

[jacquesm]

Offering != mandating. You don't offer a service like this to the general public without ensuring that their data is protected from the most obvious attacks, and password reuse is probably the #1 candidate for that unless using very weak passwords is a better #1. Either of these should be very explicitly guarded against. If you can't do that you shouldn't be operating a service like this.

What they are doing with this response is letting their legal department drive their car away from the scene of the hit-and-run. At least, that's what they hope.

[synicalx]

While it might not be "legally" required (or maybe it is, courts haven't decided yet) it's in 23andme's own best interest to at least take some steps to ensure the technically illiterate users aren't leaving the front door wide open because if they don't then they end up in situations like this.

They can blame anyone they want but at the end of the day it's their brand that's getting dragged through the mud right now and after this NO ONE will trust them ever again.

[ticulatedspline]

oh absolutely they look bad, and they could certainly have chosen a more tactful response. Most people won't even understand the nature of the data loss, and it's likely to affect their bottom line. And honestly IMHO that's more than enough lesson to start forcing security down their customer's throats.

But as I see it right now they have no legal culpability and calling for them to be drawn and quartered over it isn't exactly productive. Honestly I'd worry more about an industry knee-jerk reaction slapping crappy but CYA security on all kinds of sites if they lose the legal battle over this.

[jacquesm]

Negligence is a perfectly valid reason for culpability and I see the fact that they offered a service with this kind of data to the general public without mandatory 2FA as negligent. If only because their users are more than likely to be unaware of the kinds of risks they are taking whereas 23andme knows exactly what kind of risk those users are taking: that's why they wanted their data in the first place.

In my opinion the real reason why they didn't mandate 2FA is very simple: it would have alerted users to the fact that what they were doing was significant and it would have been a point of friction in setting up the account. But all they wanted is the data, the rest was infotainment and a sideshow from the POV of 23andme. The words 'duty of care' probably mean absolutely nothing to them.

[michaeljx]

They could have mandated 2fa only at the point where they present the results.

[jacquesm]

No, they should have done it right from day #1 so that users (1) have confidence they are treating this with the seriousness that it requires, (2) to minimize the 'surprise' factor, (3) to ensure that also the users other data is properly protected. They also should have ensured HIPAA compliance for their US based customers and compliance with whatever local legislation was applicable for their customers elsewhere and to track any changes in that legislation. This includes full consent management, the option to withdraw consent at any point in time and to be able to deal with requests for removal of data, especially relevant given that the suppliers of the DNA material may later on have second thoughts about all this. Note that you don't just give DNA to a service like this on your own behalf but also on behalf of all of your siblings, descendants and ancestors.

Recognize the potential for actual damage before you decide to blame the victims here and then wonder why 23andme apparently did not recognized that potential. Also recognize that you can't exactly change your DNA, it is your identity.

[philistine]

Blame is irrelevant. Do you honestly believe that 23andMe is reacting appropriately to the massive problem ?

The only reasonable reason they are reacting this way is not a question of belief, it's their legal defence as PR.

[synicalx]

As another commenter pointed out elsewhere, they do offer MFA. However from what I can gather it looks like they, like most other companies, don't mandate it's usage. Like you've said though given the kind of data they have they 100% needed to do better here and their response is bonkers.