- 23andMe sued for data breach affecting 6.9M users.
- Company blames users’ password negligence.
- Critics slam 23andMe, affected customers dismayed.
In the wake of a massive data breach that exposed the genetic and ancestry data of 6.9 million users, genetic testing company 23andMe finds itself entangled in over 30 lawsuits filed by victims seeking accountability. However, the company is now deflecting blame onto the victims, alleging negligence on their part in a controversial move to absolve itself of responsibility.
The breach, first disclosed in December, originated with hackers gaining access to approximately 14,000 user accounts through a technique known as credential stuffing. This method involves using passwords associated with targeted customers. Subsequently, the hackers exploited 23andMe’s DNA Relatives feature, a tool that allows users to share data with relatives on the platform. By infiltrating the initial set of accounts, the hackers were able to scrape personal data from an additional 6.9 million users.
In response to the mounting lawsuits, 23andMe sent a letter to a group of victims, asserting that users were at fault for the data breach. The letter claimed that users “negligently recycled and failed to update their passwords” after previous security incidents, which the company argued were unrelated to its own security measures.
Hassan Zavareei, a lawyer representing the victims, criticized 23andMe for “shamelessly” blaming the breach on users. Zavareei argued that the company should have implemented safeguards against credential stuffing, especially considering the sensitive nature of the information it stores.
Dante Termohs, an affected 23andMe customer, expressed dismay, stating that it was “appalling” that the company was attempting to evade responsibility instead of assisting its customers.
In their defense, 23andMe’s lawyers claimed that the stolen data could not be used for monetary damage as it did not include sensitive information like social security numbers, driver’s license numbers, or financial details. The company also implemented security measures post-breach, including password resets for all customers and mandatory multi-factor authentication.
Despite attempting to pre-empt legal actions by modifying its terms of service, 23andMe now faces a flurry of class-action lawsuits. Critics have labeled the changes as “cynical” and “self-serving,” highlighting the company’s alleged desperation to shield itself from legal consequences. As the legal battles unfold, the genetic testing giant remains tight-lipped, with no response to media requests for comment.
[embedpost slug=”/firms-explore-new-ai-partnerships-post-openai-shake-up/”]
