It seems 23andMe is facing serious repercussions after a massive data breach, and the aftermath has sparked controversy over the company’s response to the victims.
Data Breach Details:
Last December, 23andMe admitted to a significant data breach where hackers accessed the genetic and ancestry data of 6.9 million users.
The breach originated from hackers initially targeting around 14,000 user accounts by using known passwords associated with these accounts, a tactic known as credential stuffing.
Blaming the Victims:
In a letter addressed to a group of victims suing the company, 23andMe attempted to shift responsibility, stating that users negligently recycled and failed to update their passwords, absolving themselves of alleged security failures.
They claim that the incident wasn’t a result of their failure to maintain security measures but rather users’ unrelated past security incidents.
Response from Lawyers and Affected Customers:
Lawyers representing the victims expressed outrage at 23andMe’s attempt to blame the breach on users, calling it nonsensical and shameful.
They argue that the company should have implemented better safeguards against credential stuffing, especially considering the sensitive nature of the data they handle.
Affected customers echoed similar sentiments, expressing disappointment and dismay at 23andMe’s attempt to avoid accountability and assist its users.
Claiming Limited Harm from Stolen Data:
23andMe’s lawyers argue that the stolen data cannot cause monetary harm, as it didn’t include sensitive data like social security numbers, driver’s license numbers, or financial details.
They emphasize that the compromised information was related to the DNA Relatives feature, which users choose to share.
Legal Maneuvers and Customer Deterrence:
To preempt class action lawsuits and mass arbitration claims, 23andMe altered its terms of service, making it harder for victims to collectively file legal claims against the company.
Lawyers familiar with representing data breach victims criticized these changes as self-serving and a cynical attempt to protect the company’s interests while deterring customers from pursuing legal action.