Genetic testing company 23andMe has been accused in a class action lawsuit of failing to protect the privacy of customers whose personal information was exposed last year in a data breach that affected nearly seven million profiles.
The lawsuit, filed Friday in federal court in San Francisco, also accused the company of failing to notify customers of Chinese and Ashkenazi Jewish ancestry who appeared to have been specifically targeted or that their personal genetic information had been placed on “lists specially curated” files that were shared and sold on the dark web.
The lawsuit was filed after 23andMe submitted a notification to the California Attorney General’s Office showing the company had been hacked over the course of five months, from late April 2023 to September 2023, before it became aware of the breach . According to the document, reported by TechCrunch, the company became aware of the breach on October 1, when a hacker made a post on an unofficial 23andMe subreddit claiming to have customer data and sharing a sample as proof.
The company first disclosed the breach in a blog post on October 6 in which it said a “threat actor” had gained access to “certain accounts” using “recycled login credentials” – old passwords that 23andMe customers had used it on other sites. which had been compromised.
The company revealed the full extent of the breach in an updated blog post on December 5, following the completion of an internal review assisted by “third-party forensic experts.” By then, users’ personal genetic information and other sensitive material had been made available and offered for sale on the dark web for two months, according to Eli Wade-Scott, an attorney for the plaintiffs.
23andMe did not immediately respond to requests for comment on the lawsuit.
Jay Edelson, another attorney representing the plaintiffs, said 23andMe’s approach to privacy and the resulting lawsuit signaled “a paradigm shift in consumer privacy law” as the sensitivity of breached data has increased.
“Now, when we review data breaches, our first concern will be whether the information will be used to physically harass or harm people on a systematic, mass scale,” Edelson said in an email Friday. “The standard for when a company acts reasonably to protect data is now higher, at least for the type of data that can be used in this way.”
A Florida father of two, one of two plaintiffs named in the lawsuit, said in an interview that the 23andMe kit he bought himself as a birthday present last year revealed he had Ashkenazi Jewish origins. The man, identified in the complaint only by the initials JL, spoke on condition of anonymity because he said he feared for his safety.
He was looking to connect with relatives, he said, so he opted for a feature called DNA Relatives, in which select information is shared with other 23andMe customers who may have a close genetic match.
The hacker gained access to this feature and information from 5.5 million Relatives DNA profiles, 23andMe said in December. Profiles can include the customer’s geographic location, birth year, family tree, and uploaded photos.
The hacker was also able to access the profile information of another 1.4 million customers by accessing a feature called Family Tree.
After 23andMe informed JL and millions of other users that their data had been breached, JL said she feared she could become a target as anti-Semitic hate speech and violence were increasing, fueled by the conflict between Israel and Gaza .
“Now that the information is out there,” he said, “someone might come in and decide to vent their frustrations.”
According to the indictment, on October 1, a hacker calling himself “Golem” and using the image of Gollum from the “Lord of the Rings” films as his avatar disclosed the personal data of more than 1 million 23andMe users via Ancestry Jewish on BreachForums, an online forum used by cybercriminals. The data included users’ full names, home addresses and dates of birth.
Later, in response to a forum request for access to “Chinese accounts” from someone using the pseudonym “Wuhan,” Golem responded with a link to the profile information of 100,000 Chinese customers, according to the indictment. Golem claimed to have a total of 350,000 Chinese customer profiles and offered to release the others if there was interest, the lawsuit states.
On October 17, Golem returned to the forum to say he had data on “wealthy families in the service of Zionism” that he was offering for sale in the aftermath of the deadly explosion at Gaza City’s Al-Ahli Arab Hospital, the lawsuit says. . Israeli officials and Palestinian militants have blamed each other for the explosion, but Israeli and American intelligence agencies say it was caused by a failed Palestinian rocket launch.
The plaintiffs are seeking a jury trial and unspecified compensatory, punitive and other damages.
“The current geopolitical and social climate,” the lawsuit claims, “amplifies the risks” for users whose data was exposed. Rep. Josh Gottheimer, Democrat of New Jersey, called for an FBI investigation into the breach earlier this month, highlighting the focus on Ashkenazi Jews.
“The leaked data could allow Hamas, its supporters, and various international extremist groups to target the American Jewish population and their families,” Gottheimer wrote in a letter to Christopher Wray, the FBI director.
Ramesh Srinivasan, a professor in the information studies department at the University of California, Los Angeles, said it’s inevitable that these types of breaches will continue.
The question, he said, is whether companies will address these problems by taking serious precautions – tightening security or limiting data retention, for example – or whether they will simply apply a Band-Aid and promise to do better next time.
“We are staring into the abyss when it comes to the datafication of our lives,” he said.