23andMe Faces Class Action Lawsuits After Massive Data Breach Exposes Customer Genetic Information

Genetic testing giant 23andMe is facing a series of class action lawsuits in the United States after a significant data breach that exposed the personal information of its customers, according to an article by Bleeping Computer. The breach involved a leaked CSV file named ‘Ashkenazi DNA Data of Celebrities.csv,’ posted on hacker forums, containing data of nearly 1 million Ashkenazi Jews who used 23andMe’s services for ancestry information and genetic predispositions.

The compromised data included account IDs, full names, gender, birthdates, DNA profiles, and location details of 23andMe users. The original hacker initially leaked the data but later began selling stolen profiles. While 23andMe attributed the breach to credential-stuffing attacks on weakly secured accounts, they denied a direct security breach of their systems. The attackers gained unauthorized access to a small number of accounts and exploited an optional feature called ‘DNA Relatives,’ connecting genetic relatives, to exfiltrate a larger, unspecified number of clients’ data.

In response, 23andMe pledged to inform affected customers individually and is conducting an investigation with third-party experts and law enforcement. Despite members activating the optional feature voluntarily, some argue that the company failed to adequately protect user data. Four class action lawsuits filed in California seek relief for damages, criticizing 23andMe’s lack of transparency in their official announcement, insufficient security measures, and failure to promptly address the breach. The lawsuits underscore that as a company handling sensitive medical data, 23andMe should have been aware of heightened cybersecurity threats in the industry.

Plaintiffs demand various financial remedies, including restitution, lifetime credit monitoring, compensatory and statutory damages, punitive damages, and coverage of attorney’s fees. One complaint specifies nominal damages of $1,000 and punitive damages of $3,000 per class action lawsuit member. The legal actions highlight the company’s duty to secure personal information, use industry-standard encryption, train employees, and promptly notify customers of any potential compromise, emphasizing the responsibility of 23andMe to prevent foreseeable harm to its users.