Genetic testing company 23andMe is being accused of failing to protect the privacy of customers whose personal information was exposed in a data breach last year that affected nearly seven million profiles.
The lawsuit, which was filed in federal court in San Francisco on Friday, also accused the company of failing to inform customers with Chinese and Ashkenazi Jewish heritage that they were specifically targeted, or that their personal Genetic information was compiled. Specially curated lists” that were shared and sold on the dark web.
The lawsuit was filed after 23andMe submitted a notification to the California Attorney General’s Office, showing that the hack occurred over the course of five months, from late April 2023 to September 2023, before the company became aware of the breach. I went. According to the filing, which was Reported by TechCrunchThe company became aware of the breach on October 1, when a hacker posted on an unofficial 23andMe subreddit claiming to have customer data and sharing a sample as evidence.
The company first disclosed the breach in a blog post on October 6 that said a “threat actor” had gained access to “certain accounts” using “recycled login credentials” – old passwords that 23andMe customers had used on other sites that were compromised. Was.
The company disclosed the full scope of the breach in an updated blog post on December 5, after an internal review was completed with the assistance of “third-party forensic experts.” By that time, according to plaintiffs’ attorney Eli Wade-Scott, users’ personal genetic information and other sensitive material had been made available on the dark web for two months and offered for sale.
23andMe did not immediately respond to requests for comment about the lawsuit.
Jay Adelson, another attorney representing the plaintiffs, said that 23andMe’s approach to privacy and the resulting lawsuit signal “a paradigm shift in consumer privacy law” as the sensitivity of breached data has increased.
“Now that we look at data breaches, our first concern will be whether the information will be used to physically harass or harm people on a systematic, large scale,” Mr. Adelson said in an email on Friday. ” “The standard for when a company acts reasonably to protect data is now higher, at least for the types of data that can be used in this manner.”
The Florida father of two, who is one of two named plaintiffs in the lawsuit, said in an interview that a 23andMe kit he bought as a birthday gift last year revealed he had Ashkenazi Jewish heritage. The man, identified in the complaint only by his initials JL, spoke on condition of anonymity because he said he feared for his safety.
He was looking to connect with relatives, he said, so he opted for a feature called DNA Relatives, where selected information is shared with other 23andMe customers who may be a close genetic match.
23andMe said in December that a hacker had gained access to the feature, and obtained information from 5.5 million DNA Relative profiles. The profile may include the customer’s geographic location, year of birth, family tree, and uploaded photos.
The hacker was also able to access the profile information of an additional 1.4 million customers by accessing a feature called Family Tree.
When 23andMe notified JL and millions of other users that their data had been breached, JL said he feared he might become a target because anti-Semitic hate speech and violence was on the rise in Israel and Gaza. It was increasing due to conflict.
“Now that the information is out,” he said, “anyone can come in and decide where they’re going to vent their frustrations.”
According to the lawsuit, on October 1, a hacker who called himself “Golem” and used an image of Gollum from the “Lord of the Rings” films as an avatar hacked more than 1 million 23andMe users with a Jewish background. Leaked personal data of. Genealogy on BreachForums, an online forum used by cybercriminals. The data included users’ full name, home address and date of birth.
Later, according to the lawsuit, in response to a request on the platform for access to “Chinese accounts” by someone using the alias “Wuhan,” Golem responded with links to the profile information of 100,000 Chinese customers. The lawsuit says Golem said it had a total of 350,000 profile records of Chinese customers and offered to release the rest of them if there was interest.
The lawsuit states that on October 17, Golem returned to the platform to say that he had data about “wealthy families who serve Zionism”, which he used to provide information about the deadly explosion at Al-Ahli Arab hospital in Gaza City. Was offering it for sale later. Israeli officials and Palestinian militants blamed each other for the blast, but Israeli and US intelligence agencies argue that it was caused by a failed Palestinian rocket launch.
The plaintiffs are seeking a jury trial and unspecified compensatory, punitive and other damages.
“The current geopolitical and social climate increases the risk to users” whose data was exposed, the lawsuit argued. Representative Josh Gottheimer, Democrat of New Jersey, Demanded FBI investigation The violations focused on Ashkenazi Jews earlier this month.
“The leaked data could empower Hamas, their supporters, and various international extremist groups to target the American Jewish population and their families,” Mr. Gottheimer wrote in a letter to FBI Director Christopher Wray.
Ramesh Srinivasan, a professor in the department of information studies at the University of California, Los Angeles, said it is inevitable that these types of breaches will continue.
The question, he said, is whether companies will address them by taking serious precautions – for example tightening security or limiting data retention – or whether they will simply apply a Band-Aid by promising to do better next time.
“We are staring into an abyss when it comes to the datafication of our lives,” he said.