Attackers were able to compromise 23andMe over five months beginning April 2023, enabling access to 5.5 million DNA Relatives profiles and details from 1.4 million users of the Family Tree feature, said the company in a disclosure in October.
It should be $0 because this was a credential stuffing attack (Using breached passwords people reused), and affected people who knowingly shared their data with other people.
Yes, they should have MFA, but also no, most sites and services don’t force you to use MFA to begin with.
This is, for the most part, the fault of the folks using terrible security practices such as refusing passwords and sharing their data with other users.
I’ve always been hugely in favor of it. It’s the one change that could maybe justify their gargantuan salaries – if your company causes harm and suffering, the leaders absolutely need to be put on the hook.
Seems like a paltry amount, given what savvy social engineers could do with that data.
If you don’t use proper security practices, you should be on the hook for prison time at a minimum.
It should be $0 because this was a credential stuffing attack (Using breached passwords people reused), and affected people who knowingly shared their data with other people.
Yes, they should have MFA, but also no, most sites and services don’t force you to use MFA to begin with.
This is, for the most part, the fault of the folks using terrible security practices such as refusing passwords and sharing their data with other users.
So all the people who actually make the decisions walk away scot-free?
I didn’t say that. However, if delegation is too risky, do the work yourself.
Who would you jail? How would you decide whos responsible? You can’t jail the entire company.
But with a sufficient size fine you can make everyone at the company regret that decision, directly or indirectly.
You punish everyone in proportion to their responsibility
But they’re not suggesting they be punished at all…
Who would I jail? The C-officers. Your shit show, your responsibility. If you can’t trust your employees, figure out why or do the work yourself.
I’ve always been hugely in favor of it. It’s the one change that could maybe justify their gargantuan salaries – if your company causes harm and suffering, the leaders absolutely need to be put on the hook.