Prominent genetic testing company 23andMe has experienced a massive data breach. The security failure exposed a range of sensitive customer data, including names, birth years, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and locations.
Surprisingly, while many companies are apologetic following mass data breaches, 23andMe has appeared to blame its users for the security violation.
How did the 23andMe breach happen?
In 2023, hackers managed to access the accounts of around 14,000 23andMe customers. Rather than breaking into 23andMe’s systems, the criminals used emails and passwords stolen in other breaches to login to these accounts. The type of attack used in the 23andMe breach is called “credential stuffing “. It is popular with cybercriminals as around 21% of people use the same credentials when creating new accounts.
In a statement, rather than issuing the standard apology, 23andMe said that the affected users had “negligently recycled and failed to update their passwords”. So 23andMe appears to blame its customers for the security violation.
However, even if you were to accept 23andMe’s argument, the 14,000 customers whose accounts were accessed by hackers are not the only victims in this case. 23andMe has a feature called ‘DNA Relatives’ that lets people automatically share data with other users if they are related in some way. The hackers took advantage of this feature to successfully access the private data of around seven million people. The genomics and biotechnology company will surely have a hard time blaming them for the mass privacy violation.
23andMe says there is no merit to the lawsuits being made against it
To date, over 30 lawsuits have been filed against 23andMe for the breach. But the company continues to assert that there is no merit to these legal actions.
According to 23andMe, any information that may have been accessed “cannot be used for any harm.” That’s despite the hackers offering the stolen data for sale on the dark web.
Lawyers believe that it is somewhat ironic that 23andMe believes no harm can be caused by using the stolen data when it was stolen data that led to its customer’s accounts being accessed in the first place!
Data protection lawyers in the UK also refute 23andMe’s claims that the stolen credentials are useless to criminals. According to legal firm KP Law, it “has seen victims of similar data breaches become the target of cybercriminals, with instances of phishing, fraud, and identity theft.” Accordingly, its data breach experts have strongly advised anyone involved in this breach to “be vigilant and take necessary precautions”.
Are you affected by the 23andMe data hack?
Millions of people are affected by the 23andMe data breach, including many in the UK. 23andMe has written to all affected users. If you have received this notification, you could qualify to join a group action claim.
Join the Claim connects consumers with SRA-regulated lawyers. Visit the claim page to check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, you can register your interest and we’ll keep you informed if a partner firm decides to take a claim forward.
