Data Breaches at 23andMe and MGM
In an age where personal data is increasingly valuable and vulnerable, yet another major data breach has shaken public trust. In early December, 23andMe announced that hackers accessed the personal data of 0.1% of their customers, about 14,000 individuals. By accessing those accounts, it turns out that hackers also accessed files containing profile information about 6.9 million users’ ancestry.
The stolen data included customers’ names, birth years, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported locations. Because of 23andMe’s feature that matches users with their relatives, by hacking into one individual account, the hackers were able to see the personal data of both the account holder as well as their relatives, which significantly increased the total number of 23andMe victims.
23andMe said the data breach was caused by customers reusing passwords, which allowed hackers to brute-force the victims’ accounts by using passwords released in previous data breaches.
MGM Resorts
A few months earlier, MGM Resort also experienced a large-scale cyberattack. The September attack caused a huge disruption across MGM’s properties, shutting down ATMs and slot machines and pulling the company’s websites offline.
The data breach revealed customer data such as names, contact information, gender, dates of birth, and driver's license number. For some customers, hackers also accessed Social Security numbers and passport details. MGM has confirmed that an unspecified amount of customers’ personal information was stolen in the cyberattack. Repairs to their security infrastructure are estimated to cost $100 million.
Like 23andMe, MGM’s data breach is also believed to be caused by the common mistake of password reuse. Experts believe that the attackers had usernames and passwords from previous data breaches. Along with additional information collected from a high-value user’s LinkedIn profile, the attacker successfully tricked the helpdesk into resetting the user’s multi-factor authentication (MFA) and was able to compromise MGM’s systems.
Password Management
Cybersecurity experts have emphasized the magnitude of password safety. Below are our password best practices:
- Never share your passwords with others.
- Use different passwords for different accounts. That way, if one account is compromised, the others won’t also be at risk.
- Longer, more complex passwords are best. Use at least 16 characters whenever possible and include upper and lower case letters, numbers, and special characters.
- Use multi-factor authentication (MFA). This adds another layer of protection to your accounts in addition to your username and password.
- Use a password manager to organize your passwords. They securely store your passwords, and many password managers include a backup for your passwords and synchronize them across multiple systems.
As technology advances, so do the tactics of cybercriminals seeking to exploit vulnerabilities for financial gain or other malicious purposes. Businesses should adopt technologies that will keep their information secure.