By: Ashley Paredes ’25
Biotech company 23andMe Inc. confirmed a supposed data breach on Oct. 6, leading to the sale of consumer data on the black market, which includes: family trees, birthdays, names, sex and percentage of genetic information shared between family members.
Multiple class action claims have been filed against the company. The plaintiffs seek to represent a class of all persons affected.
“The lawsuit brings claims of negligence, breach of implied contract, invasion of privacy/intrusion upon seclusion, unjust enrichment, and declaratory judgment. The plaintiffs are seeking actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, and pre-and post-judgment interest,” Christopher Brown, Staff Correspondent for the Bloomberg Law Newsletter, reported.
Prominent figures such as Mark Zuckerberg, Elon Musk and Sergey Brin were mentioned on the list of accounts hacked, according to a press account cited in the lawsuit.
It was reported that 0.1% of costumer accounts were affected by the breach, which is roughly 14,000 people given the company’s recent estimate of having over 14 million users. Not only are the people who hold these affected accounts at risk, but also their family members.
The U.S. Security and Exchange Commission (SEC) file noted that the breach also involved, “a significant number of files containing profile information about other users’ ancestry.”
Although cause of the breach is not confirmed, 23andMe has maintained that hackers used a technique known as credential stuffing, which is finding instances where leaked login information from other websites were reused for their 23andMe accounts. Beginning on Oct. 10, the site began requiring users to reset their passwords and on Nov. 6, it began requiring two-factor authentication for all customer accounts to avoid incidents like this in the future.
“I firmly believe that cyber-insecurity is fundamentally a policy problem. We need standardized and uniform disclosure and reporting laws, prescribed language for those disclosures and reports, regulation and licensing of negotiators. Far too much happens in the shadows or is obfuscated by weasel words. It’s counterproductive and helps only the cybercriminal,” Brett Callow, a threat analyst at the security firm Emsisoft, said.
This is not the first time a biotech company has been held liable for the breach of personal information of its accounts.
In 2017, a similar site, MyHeritage, reported a breach of accounts. According to the site, no sensitive data such as family trees and DNA data were accessed because they are stored on segregated systems. In the wake of the incident, MyHeritage took similar preventive measures to 23andMe such as requiring two-factor authentication and reaching out to its customers possibly affected.
After this type of breach has happened twice, customers are questioning the reliability of these companies in safely securing such private information.
“Should we be providing data that is so personal and so intimate to an organization that, largely speaking, only has a strong allegiance to their investors and their boards?” Ramesh Srinivasan, a professor at the University of California, Los Angeles department of information studies, said.
It could be months or years before results will come from the lawsuit, but currently an investigation is underway and the trial has gone to mediation.
“We completely understand the position the Edelson firm is taking in its motion and generally agree that proceeding to mediation before leadership is appointed and with dozens of plaintiffs’ lawyers is both premature and ripe for chaos,” Stuart Davidson of Robbins Geller, two of the most prominent class action firms in the 23andMe litigation, said.
As cybersecurity becomes more important, here are some steps to take to avoid getting personal information shared online: do not reuse passwords across sites, use two-factor authentication where possible, and do not share passwords with anyone.
“If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it,” Tim Cook, CEO of Apple Inc., said.
THE BEAR FACTS 