First Lawsuit Filed Over 23andMe Data Breach
On Friday, October 6, 2023, 23andMe, a direct-to-consumer genetic testing that offers ancestry and health reports, confirmed that it was investigating a cyberattack that resulted in unauthorized individuals gaining access to certain customer accounts. The announcement about the 23andMe data breach came a few days after stolen data started to be listed for sale on a dark net marketplace.
In the website announcement, 23andMe said it had launched an investigation and engaged third-party forensics experts to assist, and said the investigation is ongoing. The preliminary results suggest there has not been a breach of its systems, although 23andMe said in the breach notice that an unauthorized third party obtained certain information from users’ accounts, although did not mention in the website notice that stolen data had been listed for sale, although confirmed to certain media outlets that it is in the process of validating the listed data. The stolen data included names, sex, date of birth, genetic ancestry results, profile photos, and geographical location that had been gathered from the DNA Relatives feature but does not appear to have included any raw genetic data. The hacker claims to have obtained millions of data profiles that are being offered for sale. The listings were first identified by a researcher on October 4, 2023.
“While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked,” explained 23andMe in its website notice. “We believe the threat actor may have then, in violation of our Terms of Service, accessed 23andMe.com accounts without authorization and obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service.”
23andMe explained that it monitors accounts for unauthorized access and investigates suspicious activity, its security measures exceed industry data protection standards, has confirmed it has attained multiple ISO certifications, and has offered users of the service multifactor authentication since 2019. The website notice was updated on October 9, 2023. “We are reaching out to our customers to provide an update on the investigation and to encourage them to take additional actions to keep their account and password secure. Out of caution, we are requiring that all customers reset their passwords and are encouraging the use of multi-factor authentication (MFA).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
On Monday, October 9, 2023, a lawsuit – Santana v. 23andMe Inc. – was filed in the U.S. District Court for the Northern District of California on behalf of plaintiffs Monica Santana and Paula Kleynburd who allege negligence, invasion of privacy, unjust enrichment, and breach of implied contract. The plaintiffs are represented by Scott Edelsberg, of the law firm, Edelsberg Law PA.
According to the lawsuit, “23andMe attempts to redirect the blame on to the criminal actors that gained access to Defendant’s customer accounts, in violation of their Terms of Service, while avoiding mention that their safeguards were inadequate,” and also alleges “23andME fails to state if they were able to contain or end the cybersecurity threat, leaving victims to fear whether the PII that 23andMe continues to maintain is secure and 23andMe fails to state how the breach itself occurred.”
The lawsuit alleges 23andMe was negligent for failing to implement reasonable and appropriate safeguards to protect sensitive user data, that it maintained users’ personally identifiable information in a reckless manner, did not protect its systems against unauthorized intrusions, did not take reasonable steps to prevent data breaches, did not provide adequate training to its staff, and despite publishing a notice on its website two days after a breach was known to have occurred, failed to provide timely notice of the data breach.
The lawsuit alleges the plaintiff and class members “suffered injury and ascertainable losses in the form of the present and imminent threat of fraud and identity theft, loss of the benefit of their bargain, out-of-pocket expenses, loss of value of their time reasonably incurred to remedy or mitigate the effects of the attack, and the loss of, and diminution in, value of their PII.” The lawsuit seeks class action certification, a jury trial, actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, and pre-and post-judgment interest.
The data breach highlights the risks of reusing passwords for multiple accounts. If there is a data breach on one platform, the stolen usernames and passwords can be used to access all other accounts where the login credentials have been used. These attacks are termed credential stuffing attacks, they are common and are one of the easiest ways that hackers can gain access to sensitive data. If a unique password is used for each account, these attacks can be prevented. Multifactor authentication adds an extra layer of security against these types of attacks, as an additional authentication factor must be provided in addition to a username and password for account access to be granted.
Setting strong and unique passwords and implementing multifactor authentication are the first two of the four cybersecurity measures being promoted this Cybersecurity Awareness Month. The 23andMe data breach clearly demonstrates why these two cybersecurity measures are so important.
