If it is about a personal data leak, then it is a big thing already, now imagine if the data being leaked was the super personal category one? Like, your DNA profile? What then? Well, that’s what has happened in this 23AndMe Lawsuit, and that is why it is being talked about a lot in the mainstream media, mainly because it is about millions of such DNA profiles being leaked. So let’s just get to the details then.
What Is 23andMe And What Does The Company Do?
23andMe is a business that provides home DNA testing kits for sale. These kits are often promoted on social media or via commercials.
It is a pretty straightforward procedure. People submit their saliva sample to the firm, and the laboratory checks genetic data to make ancestry and some health traits reports. A lot of the time, people are using these reports to discover their family roots or uncover relatives with whom they share similar DNA.
Besides that, the platform features a DNA Relatives tool. This enables users to find and connect with others whose genetic markers are compatible with theirs.
Up to 2023, the organization had a customer base of approximately 14 million people across the globe. So it was repository a very large quantity of genetic and personal information. Users generally find security protection of a very high standard a must when a company deals in DNA data because DNA data is the most sensitive.
What Happened In The 2023 Data Breach?
The issue began in October 2023 when the first pieces of stolen personal information were leaked on an online forum used by hackers.
Very soon, 23andMe stated that the unauthorized parties had obtained data related to approximately 6.9 million user profiles. This figure was almost half of the total clients who had ever engaged the company.
This included not only the data the users had voluntarily provided for their profiles, such as:
- Full Names
- Display Photos
- Year Of Birth
- Geographical Data
- Family Names
- Heritage Information
- DNA Relationship Matches
Besides, some people had also uploaded family tree relationships and a brief description of themselves to their profiles.
Even though the DNA raw data files were not compromised, the hackers managed to get hold of a substantial amount of personal data connected to genetic profiles. As a result, many customers became concerned about their privacy and potential unauthorized use of their data.
How Did Hackers Access The Accounts?
The hackers committed credential stuffing.
It is a process by which usernames and passwords leaked from other websites during previous data breaches are used. The criminals test those login credentials on different websites to see if the password has been reused by a person.
Because many users use the same password on several platforms, some of the login attempts on 23andMe accounts were successful.
After a hacker obtained a certain account, he or she could see the information the user made available through the DNA Relatives feature. By using that feature, they could find out details about millions of related profiles.
Later on, the firm declared that its core internal systems were not compromised. Nevertheless, a large number of users exposed their personal information as a result of the unauthorized access to their accounts.
When Did The Lawsuits Begin?
The very first lawsuits were initiated in October 2023, hardly a moment after the data breach news was out.
People who had the service pointed out that the company did not do enough to secure their personal data. Simply put, they thought that better security measures might have kept the whole thing from happening.
This legal battle escalated to another phase in January 2024. Some of the complaints were that customers were never told that their genetic information could be paired or shared in manners they wouldn’t have expected.
Also, the government started leaning in. To illustrate, the Connecticut Attorney General through a letter asked difficult questions such as how the breach took place and what the number of affected individuals was.
All of this gaze added to the legal dragging of the company.
