Do you know that the genetic testing company 23andMe is being accused in a class action lawsuit? The suit was filed in response to a breach of customer data in 2023. This breach occurred in October 2023, and personal information was exposed last year, affecting almost seven million profiles.
Overview of 23andme Lawsuit
A threat actor conducted a credential-stuffing attack that allowed access to certain customer accounts. Almost 14000 individual accounts were compromised, which was almost 0.1 % of its customers. 23andMe placed the blame for the attack on customers’ poor security practices.
The accounts could be accessed as the affected customers who used the same username and password to secure accounts on unrelated platforms. The third-party platforms experienced data breaches, and credentials were stolen; they could be used to access any other account where the credentials had been used in the 23andme lawsuit.
The lawsuit was filed in federal court in San Francisco and accused the company of failing to notify customers with Chinese and Jewish heritage that they appeared to have been targeted.
Data Breach Detail of 23andme Lawsuit
It was filed when a notification to the California Attorney General’s office was submitted. This showed that the company was hacked over the five months, from late April 2023 to September 2023. Before that, they were unaware and learned about the breach when a hacker posted on the 23andme subreddit claiming to have customer data and also shared it as proof.
These data include health predisposition data, uninterrupted raw genotype data, and carrier status reports. The hacker also exploited the 23andme feature ‘DNA Relatives,’ which connects people with their DNA relatives.
In this way, they have information for almost 5.5 million users and the family tree information for a further 1.4 million individuals. Furthermore, the hacker also listed the data for sale, including customers with Chinese and Jewish heritage.
After that, more than two dozen lawsuits were filed against the company over the data breach. According to the plaintiffs’ lawyers, the data being offered from Slae could be used as a hit list, allowing Jews to be targeted.
On the other hand, the Chinese Data can be used by the intelligence agencies of the Republic of China to target dissidents. More than 14000 accounts were accessed because of customers’ password reuse.
Furthermore, they alleged that the company should have been aware that a cyberattack was likely and taken steps to reduce risk. The lawsuit alleged that 23andme lied about data security, failed to implement protections, and lied about the breach’s severity.
Court Hearing About 23andme Lawsuit
In the court hearing, the San Francisco-based company’s attorneys disclosed the facts that a settlement had been made, which agreed in principle to bring the litigation to an end. Therefore, the company finalized the details and hoped to produce an executive term sheet in the upcoming week.
The company issued a statement, ‘We have reached an agreement in principle for a full settlement of US regarding the 2023 credential stuffing security incident.’ hopefully, this settlement will be best for the company’s customers.
Read also: Solstice East Lawsuit
Attorneys’ Respond To 23andMe Lawsuit
Lawyers argued that some were owed up to $3 billion in damages under the Genetic Information Privacy Act. According to the annual report, the company disclosed that it has around $216 million in cash. Continued legal action to obtain substantial damages risked 23andme’s bankruptcy. In the settlement, the payment for dark web monitoring services and non-monetary relief should be included.
FBI director, Mr. Gottheimer, gave the statement, ‘The leaked data can empower Hamas, their supporters, and extremist groups to target the American Jewish population and their families. The University of California professor said these types of breaches would continue. Therefore, the companies should address these issues and take serious precautions.