23andMe Faces Multiple Class Action Lawsuits Following Data Breach

Genetic testing provider 23andMe is currently facing several class action lawsuits in the United States after experiencing a significant data breach that is believed to have impacted millions of its customers.

Recently, a threat actor leaked customer data from 23andMe on hacker forums. The leaked data, found in a CSV file named ‘Ashkenazi DNA Data of Celebrities.csv,’ allegedly contains the information of nearly 1 million Ashkenazi Jews who used 23andMe services to discover their ancestry and genetic predispositions.

The leaked CSV file contained various pieces of information, including 23andMe users’ account IDs, full names, sex, date of birth, DNA profiles, location, and region details.

Although the original hacker removed the post and started selling stolen 23andMe data, other threat actors continued to circulate the original leak within cybercrime communities and forums.

In response to an inquiry, 23andMe stated that the hackers gained access to their platform through credential-stuffing attacks on weakly secured accounts. However, they denied claims of a direct security breach of their systems.

A spokesperson from 23andMe explained that the attackers initially accessed a small number of accounts, but due to the activation of an optional feature called ‘DNA Relatives,’ they were able to exfiltrate data from a larger, unspecified number of clients.

Following the publication of our report, 23andMe posted an announcement on their website, promising to individually inform affected customers and provide updates on the ongoing investigation carried out with the assistance of third-party experts and law enforcement authorities.

Numerous Lawsuits Filed

While users voluntarily activated the DNA Relatives feature, many argue that the associated risk of internal data-sharing should not exempt 23andMe from its responsibility to implement protective measures.

In this case, even users who followed proper security practices such as enabling two-factor authentication and using strong, unique passwords found their sensitive data exposed and leaked on cybercrime forums.

At least four class action lawsuits have been filed in California (Santana, Eden, Andrizzi, Lamons) seeking compensation for the harm caused by 23andMe’s failure to protect their data.

The lawsuits criticize the lack of information provided in the company’s official announcement regarding the security incident, the current state of customer data safety, the duration of the network breach, and the exact method of the cyberattack.

Furthermore, they argue that 23andMe failed to implement sufficient security measures to monitor their network for abnormal activity and take timely action to prevent the intrusion.

The legal actions emphasize that 23andMe, as a company handling sensitive medical data, should have been well aware of the heightened cybersecurity threats in the industry, especially considering the numerous high-profile breaches that have occurred, highlighting the value of such data.

The plaintiffs are seeking various forms of financial relief from 23andMe, including restitution, lifetime credit monitoring, compensatory and statutory damages and penalties, punitive damages, and coverage of attorney’s fees.

One of the complaints specifies nominal damages of $1,000 and punitive damages of $3,000 per member of the class action lawsuit, in addition to other requested forms of relief.