The recently-filed class action claims that 23andMe failed to notify users whose personal information was stolen in a breach that may have targeted Jewish and Chinese customers.
Genetic testing company 23andMe is facing a class-action lawsuit accusing it of having failed to protect the privacy of customers whose personal information was exposed in a 2023 data breach.
According to The New York Times, the complaint was filed earlier today in a San Francisco-based federal court. Attorneys for the class observed that the data breach appears to have targeted consumers with Chinese and Ashkenazi Jewish heritage, who were never given any warning that their information has been compiled into “specially curated lists” and sold on the so-called “dark web.”
In a recent article detailing the claim, the New York Times notes that the class action was initiated shortly after 23andMe submitted a report to the California Attorney General’s Office, which indicates that the company was breached over the five-month period between April 2023 and September 2023.
During this time, 23andMe was not aware that unauthorized actors were accessing, or attempting to access, sensitive consumer information.
An attorney for the class has since said that 23andMe’s apparently lackadaisical approach to customer data could herald “a paradigm shift in consumer privacy law.”
“Now when we look at data breaches, our first concern will be whether the information will be used to physically harass or harm people on a systematic, mass scale,” attorney Jay Edelson told The New York Times. “The standard for when accompany acts reasonably to protect data is now a higher one, at least for the type of data that can be used in this manner.”
One of the two plaintiffs named in the lawsuit told the Times that he had purchased a 23andMe genetic testing kit as a birthday present for himself. After collecting a saliva sample and receiving his results, he found that he had Ashkenazi Jewish heritage.
The man, identified only by his initials—J.L.—said that he used 23andMe’s DNA Relatives service, which connects users whose genetic profiles suggest that they might be related.
Although it does not appear that the breach exposed consumers’ actual genetic data, it did siphon significant amounts of information from the DNA Relatives feature, including consumers’ full names, birth years, relationship labels, and ancestry reports.
The hacker also obtained the information of another 1.4 million customers through 23andMe’s “Family Tree” service.
J.L. says that he fears that his Jewish heritage could expose him to antisemitic hate speech or violence, especially in light of the ongoing conflict between Israel and Hamas.
“Now that the information is out there,” J.L. said, “somebody could come in and decide they’re going to take out their frustrations.”
The New York Times reports that, in the months after the breach, BreachForums user going by the screenname “Golem” uploaded the information of ethnically Chinese 23andMe members.
Later, about 10 days after Hamas staged its violent October 7th incursion into Israel, Golem returned to the forum to say that he had data about “wealthy families serving Zionism.”
“The current geopolitical and social climate,” the lawsuit alleges, “amplifies the risks” to users whose data may have been exposed.
23andMe has faced extensive criticism for its response to the breach. In a letter sent to victims, the company said that hackers accessed accounts through a “brute-force” technique.
Brute-forcing, notes TechCrunch, involves locating accounts that use recycled passwords revealed from attacks on other websites and services.
“Users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” the company wrote in its letter to victims. “The incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures.”
The pending class action seeks a jury trial and unspecified damages