23andMe To Users Who Are Suing Them: It’s Your Fault That We Got Pwned
The more that I read about 23andMe, the more that they come across as being complete scumbags. Hot off of this rather underhanded trick to try and distance themselves from being sued out of existence because they got pwned and pwned big, comes this:
But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”
“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.
Well that’s pretty low. Ken Westin, Field CISO, Panther Labs had this to say:
Placing blame on end users for large-scale security incidents is never a good move. This move by 23andMe feels more like something that lawyers cooked up to avoid liability in the short-term without consideration for the long term consequences or real reflection by the company regarding their security practices. Given the nature of 23andMe’s business, trust is a key component of their go-to-market strategy, so it will be interesting to see how the market responds to this approach. I believe it will have a detrimental effect and have a larger impact on the business as a result. How organizations respond to security incidents can have a more significant impact than the original breach if it is not handled responsibly.
I agree with this. This sounds like a very bad thing to say that was cooked up by a lawyer. I wonder if that lawyer’s name is Han Solo as this defence sounds really familiar:
If there’s a company that truly needs to be sued out of existence based on their actions after being pwned by hackers, it’s this one.
UPDATE: Paul Valente, CEO & Co-Founder, VISO TRUST adds this comment:
“While 23andMe’s legal reply is not at all surprising, this case has the potential to set a new precedent in accountability — one which many CISOs and security professionals will appreciate — where B2C enterprises are held accountable for making sure allowed authentication methods are commensurate with the applicable risks and threats.”
This entry was posted on January 4, 2024 at 5:01 pm and is filed under Commentary with tags 23andMe. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
23andMe To Users Who Are Suing Them: It’s Your Fault That We Got Pwned
The more that I read about 23andMe, the more that they come across as being complete scumbags. Hot off of this rather underhanded trick to try and distance themselves from being sued out of existence because they got pwned and pwned big, comes this:
But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”
“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.
Well that’s pretty low. Ken Westin, Field CISO, Panther Labs had this to say:
Placing blame on end users for large-scale security incidents is never a good move. This move by 23andMe feels more like something that lawyers cooked up to avoid liability in the short-term without consideration for the long term consequences or real reflection by the company regarding their security practices. Given the nature of 23andMe’s business, trust is a key component of their go-to-market strategy, so it will be interesting to see how the market responds to this approach. I believe it will have a detrimental effect and have a larger impact on the business as a result. How organizations respond to security incidents can have a more significant impact than the original breach if it is not handled responsibly.
I agree with this. This sounds like a very bad thing to say that was cooked up by a lawyer. I wonder if that lawyer’s name is Han Solo as this defence sounds really familiar:
If there’s a company that truly needs to be sued out of existence based on their actions after being pwned by hackers, it’s this one.
UPDATE: Paul Valente, CEO & Co-Founder, VISO TRUST adds this comment:
“While 23andMe’s legal reply is not at all surprising, this case has the potential to set a new precedent in accountability — one which many CISOs and security professionals will appreciate — where B2C enterprises are held accountable for making sure allowed authentication methods are commensurate with the applicable risks and threats.”
Share this:
Like this:
Related
This entry was posted on January 4, 2024 at 5:01 pm and is filed under Commentary with tags 23andMe. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.