23andMe Enhances User Agreement to Shield Against Data Breach Lawsuits

Genetic testing provider 23andMe is currently facing multiple lawsuits due to an October credential stuffing attack that resulted in the theft of customer data. In response, the company has made changes to its Terms of Use, making it more difficult for customers to sue them.

Last October, a cybercriminal attempted to sell 23andMe customer data but ultimately failed, leading them to leak the data of 1 million Ashkenazi Jews and 4.1 million people living in the United Kingdom.

Our IT Services team learned that the data was obtained through credential stuffing attacks used to breach customer accounts. The cybercriminals exploited a limited number of these accounts to access the ‘DNA Relatives’ feature and scrape the data of millions of individuals.

In a recent update, 23andMe disclosed that a total of 6.9 million people were affected by the breach — 5.5 million through the DNA Relatives feature and 1.4 million through the Family Tree feature.

Terms of Use Updates: Preventing Lawsuits?

As a result of the breach, 23andMe is now facing numerous lawsuits. In an effort to minimize legal troubles, the company updated its Terms of Use on November 30th. The updated terms now require mandatory arbitration for all disputes, prohibiting jury trials or class action lawsuits.

The updated Terms of Use state, “These terms of service contain a mandatory arbitration of disputes provision that requires the use of arbitration on an individual basis to resolve disputes in certain circumstances, rather than jury trials or class action lawsuits.”

23andMe sent emails to customers informing them of the change and advising that they had 30 days to notify the company at

cu**********@23*****.com











if they disagreed with the new terms. Customers who disputed the update would remain on the previous Terms of Service.

However, Nancy Kim, a Chicago-Kent College of Law professor, told Axios that this change in the Terms of Use may not protect 23andMe from lawsuits. It could be difficult for the company to prove that they provided reasonable notice for customers to opt out of the new terms.

Stay Informed and Protect Your Data

As cyber threats continue to evolve, it’s more important than ever to stay informed and take proactive measures to safeguard your personal data. We’re here to help you navigate the ever-changing world of cybersecurity, providing you with the information and resources you need to stay safe online.

Contact us to learn more about how to protect yourself from cyber threats, and remember to come back regularly for the latest updates on cybersecurity developments.