23andMe Data Breach Lawsuit Says Victims’ Info Is ‘Already for Sale on the Black Market’ [UPDATE]

23andMe faces a proposed class action lawsuit that alleges lax cybersecurity is to blame for a massive early-October 2023 data incident, which has reportedly resulted in users’ personal, genetic and ancestry information going up for sale on the black market.

If you are a 23andMe user who lives in California and received notice of the data breach, let us know here.

The 48-page complaint, filed October 9 in California, accuses 23andMe of attempting to redirect blame for the incident to the “threat actors” who scraped certain accounts, in particular those belonging to users who opted into sharing data through the platform’s DNA Relatives feature, claiming they used “recycled login credentials” from other websites that had previously been hacked.

In truth, the suit argues, 23andMe, which reportedly has more than 14 million users worldwide, has avoided admitting that its safeguards were inadequate and that this is the reason why the hackers were able to access sensitive user data in the first place.

According to the case, information compromised in the 2023 23andMe data hack included at least users’ names, sex, dates of birth, genetic ancestry results, profile photos and geographic location.

The lawsuit, citing troubling media reports, shares that the private data of millions of 23andMe users (one report says close to seven million) has already been put up for sale in online crime forums, including a site called BreachForums. At least one publication has reported that the stolen user data “seems to be part of a targeted attack focused on Ashkenazi Jews,” while the data of “hundreds of thousands with Chinese heritage” was also disclosed without authorization, the filing relays.

“Plaintiffs’ and Class Members’ identities are now at risk because of Defendant’s negligent conduct since the [personally identifiable information] that Defendant collected and maintained is now in the hands of data thieves,” the suit scathes. “This present risk will continue for their respective lifetimes.”

Certain ethnic groups ‘targeted’ in 23andMe hack, reports say

According to Ars Technica, 23andMe, a biotech company that creates personalized genetic reports on “everything from ancestry composition to traits to genetic health risks,” confirmed the incident five days after an unknown actor took to an online forum to advertise the sale of users’ private data. In the forum posts, the entity reportedly claimed that 23andMe had been made aware of the hack two months earlier, though the company did not reveal the incident until October 6 in a press release titled “Addressing Data Security Concerns.”

The crime forum post cited by Ars Technica reportedly claimed that the hackers obtained “13M pieces of data,” a claim that has not been substantiated by 23andMe. Other outlets, including The Record and Bleeping Computer, reported last week that one shared database contained information for one million users of Ashkenazi heritage, while a second database included the details of 300,000 people of Chinese heritage who also opted into 23andMe’s DNA Relatives feature.

Per Ars Technica, this feature allows users who opt in to see the basic profile details of others who allow their profiles to be seen by other DNA Relatives participants. If the DNA of one opted-in user matches another, each user gets access to the other’s ancestry information, the publication explained.

The stolen 23andMe data was reportedly offered for sale for $1 to $10 per account. One outlet cited in the lawsuit claims the 23andMe profiles of notable figures such as Mark Zuckerberg, Elon Musk and Sergey Brin were among those impacted by the data hack.

23andMe’s data breach notice falls short, lawsuit says

In a press release, 23andMe stated that, after learning of suspicious activity involving certain customer profiles, it immediately began an investigation. The company shared that it believed that the threat actor behind the hack “accessed 23andMe accounts without authorization and obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service.”

The case contests, however, that 23andMe’s data breach notice posted online is “deficient” in that, for one, the company fails to state whether it was able to “contain or end” the cybersecurity threat, leaving victims unsure as to whether their personal information is presently secure. The company also failed to specify in its notice how the incident occurred, the suit adds.

The lawsuit notes that, despite claims the company “encrypt[s] all sensitive information and conduct[s] regular assessments” to identify potential cybersecurity threats, the personal information compromised in the “foreseeable” data breach was not encrypted.

The suit accuses 23andMe of maintaining sensitive user data in a “reckless manner,” and of maintaining its computer network “in a condition vulnerable to cyberattacks.” The lawsuit further claims 23andMe failed to train employees to properly monitor the computer network and systems that housed the user information that was stolen.

“Had Defendant properly monitored its computer network and systems, it would have discovered the intrusion sooner, as opposed to letting cyberthieves roam freely in [its] IT network for and [sic] unknown period of time,” the filing asserts.

Who’s covered by the 23andMe data breach lawsuit?

The case looks to represent all individuals nationwide whose personally identifiable or health information was compromised by unauthorized parties in the data incident announced by 23andMe on or around October 6, 2023.

My info was compromised in the 23andMe hack. How do I get involved?

When a proposed class action lawsuit is first filed, there’s usually nothing you need to do to join, sign up for, or otherwise participate in the case. That’s because it’s typically only if and when a class action settles that the people covered by the suit, called “class members,” need to act. This tends to involve filling out and filing a claim form online or by mail to receive a piece of any settlement.

In the event of a settlement, class members might be notified of the deal by mail and/or email. This notice will contain details of the deal, instructions on what to do next, and more information on a consumer’s legal rights and options going forward.

If you are a 23andMe user who lives in California and received notice of the data breach, let us know here.