Robin’s Newsletter #286

10 December 2023. Volume 6, Issue 50
23andMe data breach impacts grow. Pushing surveillance. Five Eyes detail Russian political meddling.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Scale of 23andMe data breach increases: 6.9 million may be affected

  • Rumours that genetic testing company 23andMe had suffered a data breach started circulating in October. First, the company said it was their user’s fault for reusing passwords (vol. 6, iss 41) despite the company not noticing significant, programmatic access to its user’s accounts. Then it filed with the SEC saying around 0.1% of user accounts (~14,000 people) were impacted (vol. 6, iss. 49). Now it seems the number might be closer to 6.9 million.
  • The differences in the numbers are because of 23andMe’s DNA Relatives feature that allows users to share their DNA profile for potential matches with other users. The feature allows users to “find lost family members by willingly giving others access to information like their birth year, current location, and ancestors’ names and birth locations”
  • 23andMe has also given users 30 days to opt out of new terms, including a prohibition on participating in class-action lawsuits against the company. The “important updates were made to the Dispute Resolution and Arbitration section” were notified to users via email. The practical impact is that, as details of the data breach come to light, users will not have the ability to participate in group legal action against the firm. Read more about how to opt out if you’re a 23andMe customer.

Surveillance notification

  • US Senator Ron Wyden has revealed that government agencies are spying on targets through app push notifications
  • Apple and Google are “in a unique position to facilitate government surveillance of how users are using particular apps,” as the tech companies act as brokers, relaying the notifications between the app developer and their users. Many notifications are not encrypted and will contain snippets of content or message previews and are generated separately from the content or message itself loaded within the app. 
  • Wyden’s letter to the Department of Justice seeks for Apple and Google to be permitted to be transparent about these requests and if they have been legally compelled to handover this type of information.

Russia round-up

Interesting reads

Interesting stats

$3 billion in cryptocurrency stolen by Kimsuky, Lazarus, Andariel, and other North Korean groups since January 2017, according to Recorded Future, who estimate the same groups have been behind  44% of all stolen cryptocurrency in the last year.

55% of insider threats involve exploiting escalation of privilege vulnerabilities, according to Crowdstrike, the remaining  45% download or misuse offensive security tools.

Other newsy bits / in brief

And finally 

  • Communications integrity: Bravo to Louis Ashworth, the picture editor and folks at FT for their sassy write-up of a snafu at corporate comms specialist Investis Digital who sent a message purporting to be a regulatory news alert from Tesco Plc reading “GO FUCK YOURSELF” in big-ol’, bold, red font. I suspect it’s most likely a test gone wrong, but can’t rule out a disgruntled employee or unauthorised access. Still, they did deliver an “authentic online [experience]”.
Robin

  Robin's Newsletter - Volume 6

  23andMe Surveillance Push Notifications Apple Google Russia Federal Security Service (FSB) Fancy Bear Misinformation Cameo Artifical Intellignce (AI) Mass Surveillance Mass Spying Cryptocurrency Binance Suspicious Activity Report (SAR) Money laundering Insider Threat Sellafield Linux Rootkit BLUFFS Zero Click