Genetic testing company 23andMe is accused in a class-action lawsuit of failing to protect the privacy of customers whose personal information was exposed last year in a data breach that affected nearly seven million profiles.
The lawsuit, filed Friday in San Francisco federal court, also accused the company of failing to inform customers of Chinese and Ashkenazi Jewish heritage that it appeared they had been specifically targeted or that their personal genetic information had been compiled into “specially curated lists.” that were shared and sold on the dark web.
The lawsuit was filed after 23andMe filed a notice with the California Attorney General’s Office showing that the company was breached over a period of five months, from late April 2023 to September 2023, before it became aware of the breach. According to the filing, which was reported by TechCrunch, the company learned of the breach on Oct. 1 when a hacker posted on an unofficial 23andMe subreddit claiming to have customer data and shared a sample as proof.
The company first disclosed the breach in a blog post on Oct. 6, in which it said a “threat actor” had gained access to “certain accounts” using “recycled login credentials” — old passwords that 23andMe customers had used on other sites that had been hacked.
The company revealed the full scope of the breach in an updated blog post on Dec. 5, after completing an internal review with the help of “third-party forensics.” By that time, according to Eli Wade-Scott, an attorney for the plaintiffs, users’ personal genetic information and other sensitive material had been available and offered for sale on the dark web for two months.
23andMe did not immediately respond to requests for comment on the lawsuit.
Jay Edelson, another attorney representing the plaintiffs, said 23andMe’s approach to privacy and the resulting lawsuit marked “a paradigm shift in consumer privacy law” as the sensitivity of breached data has increased.
“Now, when we look at data breaches, our first concern will be whether the information will be used to physically harass or harm people on a systematic, mass scale,” Mr. Edelson said in an email Friday. “The standard for when a company acts reasonably to protect data is now higher, at least for the type of data that can be used in this way.”
A Florida father of two who is one of two named plaintiffs said in an interview that the 23andMe kit he bought as a birthday present last year revealed he had Ashkenazi Jewish heritage. The man, identified in the complaint only by his initials, JL, spoke on condition of anonymity because he said he feared for his safety.
She was looking to connect with relatives, she said, so she opted for a feature called DNA Relatives, where selected information is shared with other 23andMe customers who may be a close genetic match.
The hacker gained access to that feature and information from 5.5 million DNA relatives profiles, 23andMe reported in December. Profiles may include a customer’s geographic location, year of birth, family tree, and uploaded photos.
The hacker was also able to gain access to the profile information of an additional 1.4 million customers by accessing a feature called Family Tree.
After 23andMe notified JL and millions of other users that their data had been breached, JL said he feared he could become a target as anti-Semitic hate speech and violence increase, fueled by the conflict between Israel and Gaza.
“Now that the information is out there,” he said, “someone could come along and decide they’re going to take out their frustration.”
On Oct. 1, according to the lawsuit, a hacker calling himself “Golem” and using an image of Gollum from the “Lord of the Rings” movies as an avatar leaked the personal data of more than 1 million 23andMe users . Jewish origin in BreachForums, an online forum used by cybercriminals. The data included users’ full names, home addresses and dates of birth.
Later, in response to a forum request for access to “Chinese accounts” from someone using the alias “Wuhan,” Golem responded with a link to the profile information of 100,000 Chinese customers, according to the lawsuit. Golem said it had a total of 350,000 Chinese customer profile files and offered to release the rest of them if there was interest, the suit says.
On Oct. 17, Golem returned to the forum to say he had data on “wealthy families serving Zionism” that he offered for sale in the wake of the deadly blast at the Al-Ahli Arab Hospital in Gaza City, the lawsuit said. Israeli officials and Palestinian militants blamed each other for the blast, but Israeli and US intelligence say it was caused by a failed Palestinian rocket launch.
The plaintiffs are seeking a jury trial and unspecified compensatory, punitive and other damages.
“The current geopolitical and social climate,” the lawsuit argued, “intensifies the risks” to users whose data was exposed. Representative Josh Gottheimer, D-New Jersey, called for an FBI investigation into the breach earlier this month, citing the focus on Ashkenazi Jews.
“The leaked data could empower Hamas, its supporters and various international extremist groups to target the American Jewish population and their families,” Mr. Gottheimer wrote in a letter to Christopher Wray, the FBI director.
Ramesh Srinivasan, a professor in the intelligence studies department at the University of California, Los Angeles, said it was inevitable that these types of breaches would continue.
The question, he said, is whether companies will deal with them by taking serious precautions — tightening security or limiting data retention, for example — or whether they’ll simply apply a Band-Aid by promising to do better next time.
“We’re staring into the abyss when it comes to recording data of our lives,” he said.
