DNA testing firm 23andMe is currently facing over 30 lawsuits related to a data breach that occurred in October 2023. Customers impacted by the breach have filed class actions and mass arbitration claims against the company.
Description
The breach occurred when unknown attackers gained access to 14,000 user accounts by brute-forcing passwords through credential stuffing [6]. This allowed the hackers to access the personal data of 6.9 million other users through the DNA Relatives feature. 23andMe argues that the breach was not due to their failure to maintain reasonable security measures [6], but rather hackers gaining reused credentials from third-party websites [6]. However, lawyers representing the victims argue that 23andMe should have implemented stronger security measures [4], especially considering the sensitive nature of the data they store [6]. The breach impacted millions due to the insecure DNA Relatives feature [6], not password recycling [6].
The company’s lawyers claim that the accessed data cannot be used for financial harm as it did not include social security numbers [6], driver’s license numbers [6], or payment information [6]. The courts have not yet ruled on the case [5], and the lawsuits are seeking consolidation through multidistrict litigation [5]. Critics argue that while users have a responsibility to follow best practices [1], companies also have a duty to protect sensitive information [1]. Experts have noted that exposing genealogy and relationship information can be highly useful to attackers for targeted social engineering campaigns [1].
Recently, 23andMe made changes to its terms of service shortly before disclosing the breach. Legal experts believe these changes were made to make it more difficult for affected customers to file a lawsuit against the company [2]. Three lawyers specializing in data breach cases described the changes as “cynical,” “self-serving,” and a “desperate attempt” by 23andMe to protect itself and discourage customers from exercising their legal rights [2].
The company denies liability for the breach [4], arguing that users were to blame for the data exposure due to password recycling and failure to update them. The company implemented security measures after the breach [3], but the stolen data did not include sensitive information. 23andMe believes it is not liable under the California Privacy Rights Act and the Illinois Genetic Information Privacy Act [3]. The issue of shared liability between users and service providers is debated [3], with both parties having responsibilities in protecting accounts [3]. Companies can enforce strong password thresholds and provide notice to users for unusual logins [3].
Conclusion
The data breach at 23andMe has had significant impacts, with over 30 lawsuits filed by affected customers. The breach exposed sensitive personal information of millions of users, highlighting the need for stronger security measures in companies that handle such data. The ongoing legal proceedings will determine the liability of 23andMe and the responsibilities of both users and service providers in protecting personal information. This breach also raises concerns about the potential misuse of genealogy and relationship information for targeted social engineering campaigns. Moving forward, there is a need for a customer’s bill of rights to ensure minimum security requirements for managing sensitive personal information [3].
References
[1] https://www.infosecurity-magazine.com/news/23andme-blames-user-breach/
[2] https://news.yahoo.com/23andme-tells-victims-fault-data-164215889.html
[3] https://www.darkreading.com/cyberattacks-data-breaches/23andme-negligent-users-at-fault-breach-7m-records
[4] https://securityboulevard.com/2024/01/23andme-victim-blame-richixbw/
[5] https://arstechnica.com/tech-policy/2024/01/23andme-shamelessly-blaming-users-for-data-breach-lawyer-says/
[6] https://www.techspot.com/news/101418-23andme-now-blames-users-their-recycled-passwords-october.html
