The Case of the Sleepy Cyberattack on 23andMe

As people become more interested in unlocking more information about themselves, they have sought out the latest, cutting edge technologies like genetic testing to find out about their ancestry. Many companies advertised these kinds of services in a way that is accessible and affordable, without compromising on the integrity or accuracy given by traditional testing services. One such company is 23andMe, a direct-to-consumer testing service that provides individuals with the opportunity to do their own tests at a fraction of the cost. Customers collect their own samples, before sending them to a specialised laboratory for analysis. Results can provide insight into ancestry, health and wellness by comprehensively understanding their genetic makeup and what their future might look like, health-wise. Users can also access their raw DNA data from 23andMe, which can be used to further explore and interpret their data.

Despite their popularity, direct-to-consumers come with a warning regarding their precarious security measures and the privacy of consumer data. This was put to practice when, in late 2023, consumers were informed of a mass data breach experienced by 23andMe from April of 2023, wherein hackers gained access to mass amounts of private data. Included in the accessed data was customer’s names, “birth year, family tree, location and photos users added to their accounts,” as well as other information such as “display name, recent login details, percentage of DNA shared with their relatives’ matches and predicted relationship with that person” [1]. The hackers were able to gain access to the data through “old, compromised passwords” before accessing a wider portion of the database of customer information, including genetic information [1]. Overall, it is estimated that approximately 5.5 million to 6.9 million users had their most intimate data compromised as a result of the breach, which amounts to almost 50% of 23andMe’s entire database [1, 2].

This hacking tactic is called a credential stuffing attack, wherein one compromised credential allows for subsequent access into another service.

While security breaches and hacking have become a major security concern in an age where personal information and data are commodified and used as currency, there is still an expectation that companies will make privacy and security a high priority. This is especially important for companies handling such sensitive genetic data, which essentially contains everything about a person. In light of this, it is extremely shocking to learn that 23andMe admitted that they had been entirely unaware of the breach until October 2023, at which point it had already been going on for several months [3]. It is still unclear how the company allowed the major attack to go undetected for its entire duration, wherein intimate health details such as predisposition and wellness reports were also stolen during the cyberattack [3]. It is, however, clear how the company became alert to the breach: hackers advertised the stolen data online via Reddit forums and other designated spaces [4]. This triggered a cautionary password-resetting campaign from the company, but at that point, it was too late.

Although customers were not informed of this, much of the data was also “compiled into curated lists” before being sold on the dark web [5, 6].

Following the announcement that 23andMe’s security had been severely breached, endangering customer privacy, several class action lawsuits have been proposed and filed in Canada and the United States, respectively. The lawsuits cite negligence for failing to adequately conduct their “data retention and protection practices,” and inadequate security measures which allowed for the attack to occur in the first place [6, 7]. They are also seeking compensation due to the damages already incurred, including the emotional distress, and those that will undoubtedly continue to be incurred as a result of the privacy infractions allowed by 23andMe [10]. As more information is revealed, the class action lawsuits continue to grow as more plaintiffs join the claim.

One lawsuit cites 23andMe’s failure to notify customers that they were “specifically targeted” for their Chinese or Ashkenazi Jewish heritage [5, 8]. This is because these groups were singled out during the cyberattack. Hackers leaked the personal information, including names and addresses, of “1 million users with Ashkenazi Jewish ancestry” on a dark web site [8]. Following this, a discussion on a dark web forum asking for “Chinese accounts” prompted the release of a file with information on 100,000 users of Chinese heritage — though the poster admitted to having close to 350,000 Chinese user profiles [8]. These targeted attacks led to even more questions about what the company has done to ensure the protection of private data, and motivated the legal approaches against the company.

In response, 23andMe decided to maintain its position on the matter. The company’s lawyers decided that the best way to respond to the victims of the data breach was to blame them for the violation of their privacy. By “negligently” recycling old passwords and failing to update their passwords, 23andMe maintained that users compromised themselves and their data, thus absolving themselves of responsibility [9]. Lawyers representing the victims responded that the company has yet to take responsibility for its lack of sufficient security measures, for the fact that they were unable to detect the breach as it was happening, and for the deplorable treatment of victims since. The company also maintained that it was futile for their customers to pursue any legal action, since their claims would be “allegedly meritless” as the hacked information “cannot be used for any harm” [10].

In light of this, customers have noticed signs that the company is continuing with “business as usual” [1]. The company even changed their terms and services in a “cynical” and “self-serving” move that further cements its position as uninvolved in the breach [11]. It is also an attempt at dissuading customers from exercising their rights following this cyberattack and other future potential breaches in security. Not only has the case illustrated the perils of corporate failures to assure the safety of customers and their information, but also the potential for negligence and contract breaches in an increasingly technological age. As it continues to unfold, it will illustrate just how important corporate responsibility is in assuring both individual and collective rights, including consent and responsibility.

Author: Kawthar Fedjki

Sources

[1] Schmunk, R. (2023, December 6). ‘It scared the hell out of me,’ says lead plaintiff in proposed class-action suit over data breach at 23andMe. CBC. https://www.cbc.ca/news/canada/23andme-data-breach-canadian-class-action-lawsuit-1.7049449

[2] Franceschi-Bicchierai, L. (2023, December 4). 23andMe confirms hackers stole ancestry data on 6.9 million users. TechCrunch. https://techcrunch.com/2023/12/04/23andme-confirms-hackers-stole-ancestry-data-on-6-9-million-users/

[3] Battle, P. (2024, January 26). 23andMe unveils more of the truth about massive DNA data breach. The Street. https://www.thestreet.com/technology/23andme-unveils-more-of-the-truth-about-that-massive-dna-data-breach

[4] Franceschi-Bicchierai, L. (2023, October 10). 23andMe resets user passwords after genetic data posted online. TechCrunch. https://techcrunch.com/2023/10/10/23andme-resets-user-passwords-after-genetic-data-posted-online/

[5] Carballo, R., Schmall, E., & Tumin, R. (2024, January 26). 23andMe Breach Targeted Jewish and Chinese Customers, Lawsuit Says. The New York Times. https://www.nytimes.com/2024/01/26/business/23andme-hack-data.html

[6] Bucher, A. (2023, December 29). 23andMe hit with another class action lawsuit over data breach. Top Class Actions. https://topclassactions.com/lawsuit-settlements/privacy/data-breach/23andme-hit-with-another-class-action-lawsuit-over-data-breach/

[7] Xiong, D. (2024, January 3). B.C. class-action seeks compensation over alleged 23andMe breach. Business in Vancouver. https://biv.com/article/2024/01/bc-class-action-seeks-compensation-over-alleged-23andme-breach

[8] Moon, M. (2024, January 27). Lawsuit says 23andMe hackers targeted users with Chinese and Ashkenazi Jewish heritage. Engadget. https://www.engadget.com/lawsuit-says-23andme-hackers-targeted-users-with-chinese-and-ashkenazi-jewish-heritage-132423486.html

[9] Newman, L. H., & Greenberg, A. (2024, January 6). Security News This Week: 23andMe Blames Users for Recent Data Breach as It’s Hit With Lawsuits. Wired. https://www.wired.com/story/23andme-blames-users-data-breach-security-roundup/

[10] Belanger, A. (2024, January 4). 23andMe told victims of data breach that suing is futile, letter shows. ARS Technica. https://arstechnica.com/tech-policy/2024/01/23andme-shamelessly-blaming-users-for-data-breach-lawyer-says/

[11] Franceschi-Bicchierai, L. (2023, December 11). 23andMe changes to terms of service are ‘cynical’ and ‘self-serving,’ lawyers say. TechCrunch. https://techcrunch.com/2023/12/11/23andme-changes-to-terms-of-service-are-cynical-and-self-serving-lawyers-say/