Genetic testing company 23andMe is accused in a class action lawsuit of failing to protect the privacy of customers whose personal information was exposed in a data breach that affected nearly 7 million profiles last year.
The lawsuit, filed Friday in federal court in San Francisco, alleges that the company appears to have specifically targeted customers with Chinese and Ashkenazi Jewish ancestry, or that their personal genetic information is A “specially curated list” was shared and sold on the dark web.
The lawsuit was filed after 23andMe filed a notice with the California Attorney General's Office stating that it was hacked over a five-month period from late April 2023 to September 2023, before becoming aware of the breach. Ta. The company said the breach occurred on Oct. 1 when hackers posted on an unofficial 23andMe subreddit claiming to have customer data and sharing samples as evidence, according to a filing reported by TechCrunch. He said he learned about it.
The company first disclosed the breach in an Oct. 6 blog post, in which a “threat actor” revealed “recycled login credentials” (old passwords that 23andMe customers had used on other sites). He said he used it to access “specific accounts.” That was being violated.
The company revealed the full scope of the breach in a blog post updated on December 5, after completing an internal investigation assisted by “third-party forensic experts.” By then, the user's personal genetic information and other sensitive information had been exposed and he had been for sale on the dark web for two months, said Eli Wade Scott, a lawyer for the plaintiffs.
23andMe did not immediately respond to a request for comment on the lawsuit.
Jay Edelson, another attorney for the plaintiffs, said 23andMe's approach to privacy and the resulting lawsuit represents a “paradigm shift in consumer privacy law” because of the increased sensitivity of the data that was compromised. He said that it suggests.
“When we consider a data breach, our first concern is that the information could be used to physically harass or harm people on a systematic and large scale basis,” Edelson said in an email Friday. The question is whether it will work or not.” “The standards for companies to act reasonably to protect data are now higher, at least when it comes to the types of data that can be used in this way.”
One of the two plaintiffs in the lawsuit, a Florida father of two, said in an interview that a 23andMe kit he bought as a birthday present last year confirmed his Ashkenazi Jewish heritage. He said it became clear that The man, identified in the complaint only by his initials JL, spoke on condition of anonymity because he feared for his safety.
He said he chose a feature called DNA Relatives because he was looking for connections with relatives. The feature will share selected information with other 23andMe customers of his who may be genetically similar.
23andMe announced in December that hackers had accessed this feature and information from 5.5 million DNA kinship profiles. The profile may include the customer's geographic location, year of birth, family tree, and uploaded photos.
The hacker was also able to access profile information for an additional 1.4 million customers by accessing a feature called Family Tree.
After 23andMe notified JL and millions of other users that their data had been breached, JL said it was targeted as the Israel-Gaza conflict has led to a surge in anti-Semitic hate speech and violence. He said he was worried that it might become a problem.
“Now that the information is out there, someone may decide to come along and try to address their grievances,” he said.
According to the complaint, on October 1, a hacker who called himself “Golem” and used an image of Gollum from the movie “The Lord of the Rings” as an avatar leaked the personal data of more than 1 million 23andMe users. I let it happen. His Jewish ancestry is BreachForums, an online forum used by cybercriminals. The data included users' names, home addresses, and dates of birth.
Golem then returned links to the profile information of 100,000 Chinese customers in response to a request to access a “Chinese account” from someone using the pseudonym “Wuhan” on the forum, according to the complaint. That's what it means. According to the complaint, Golem had a total of 350,000 profile records of Chinese customers and offered to release the rest if there was interest.
According to the complaint, Mr. Golem returned to the forum on October 17 and announced that he was planning to sell “wealthy families serving Zionism” in the aftermath of the deadly explosion at Al-Ahly Arab Hospital in Gaza City. He said he had data on “. Israeli authorities and Palestinian militants blame each other for the explosion, but Israeli and American intelligence agencies say the explosion was caused by a failed Palestinian rocket launch.
The plaintiffs are seeking a jury trial and unspecified compensatory, punitive and other damages.
“Current geopolitical and social conditions amplify the risks to users whose data has been compromised,” the lawsuit claimed. Earlier this month, Rep. Josh Gottheimer (D-N.J.) called for an FBI investigation into the breach, noting its focus on Ashkenazi Jews.
In a letter to FBI Director Christopher Wray, Gottheimer said, “The leaked data gives Hamas and its supporters, as well as various international extremist organizations, the ability to target America's Jewish population and their families. There is a possibility that it will be given.”
Ramesh Srinivasan, a professor at the School of Information Studies at the University of California, Los Angeles, said it is inevitable that these types of breaches will continue.
The question, he said, is whether companies will address the issue by taking serious precautions, such as tightening security and limiting data retention, or they'll just put a band-aid on it and promise to do better next time. I wonder if it's just a matter of pasting it on.
“When it comes to datafication of our lives, we are staring into the abyss,” he said.
