The Blame Game – A Case Study: 23andMe’s Data Breach
In the digital age, data breaches have become an unfortunate reality. Companies are expected to protect their customers’ data, but what happens when they fail to do so and then shift the blame onto the victims? This blog post will explore a recent case involving the genomics giant, 23andMe.
The Breach
Last fall, a data breach compromised the DNA data of about 6.9 million users of 23andMe1. This incident was not just a violation of privacy, but it also raised concerns about the potential misuse of sensitive genetic information.
Shifting the Blame
In the aftermath of the breach, 23andMe appears to have shifted the blame towards the customers who were affected1. As customers attempted to sue the company, 23andMe disavowed responsibility and turned the blame back on them2.
In a letter from the company’s lawyers sent to victims suing the company for the breach, 23andMe urged users to “consider the futility of continuing to pursue an action in this case,” because their claims are allegedly meritless and “the information that was potentially accessed cannot be used for any harm”3.
Why did they not have brute force protection on their website?
Where were the incident alerts to their SOC?
What is their RMF (Risk Management Framework) and security posture to protect the integrity of customer data?
Why were they able to use weak passwords in the first place?
What decision was made at the top (23andMe) to follow these practices and then decide to blame the victims because of their negligence?
The Implications
This approach of victim-blaming is not only morally questionable but also raises serious concerns about corporate responsibility. While consumers do have a responsibility to protect their personal information, the primary responsibility for data security lies with the companies that collect and store this data.
Adam Aviv, an associate professor of computer science at George Washington University, states, “While there’s some responsibility on consumers to be careful about who they share their personal information with, the fault for breaches almost always lies with insufficient security practices by the affected company, not by the victims of the breach”4.
Conclusion
The 23andMe case serves as a stark reminder of the importance of corporate accountability in the era of data breaches. Companies must not only take steps to secure the data they hold but also take responsibility when breaches occur. Shifting the blame onto victims not only harms those affected but also undermines trust in the company and its practices.
In the end, it is clear that companies need to do more to protect their customers’ data and be held accountable when they fail to do so. After all, in the digital age, data security is not just a corporate responsibility, it’s a social one.