Privacy Law
23andMe Data Breach
by: Danielle Ocampo
The Hack
On October 1, 2023, 23andMe, the personal genomics and biotechnology company, initially learned of a cyber threat after confirming user information was for sale on the dark web. 23andMe subsequently investigated the hacker’s claims that 4 million genetic profiles of UK customers were leaked.
The hackers used a stuffing attack where they used old 23andMe customer passwords from other sites and reused 23andMe passwords to cause the breach. Customer data compromised included: ancestry data, usernames, recent account log in activity, DNA relationship matches, self-reported location information, family trees, ancestor birth information and surnames, profile pictures, and more information the user chooses to share to “introduce” oneself.
After initial investigation, the company believed 14,000 accounts were accessed, which amounted to 0.1% of users, which was reported in 23andMe’s SEC in its 8-K filing.
“Other Users’ Ancestry” Accessed
On December 4th, 23andMe confirmed that the true number of people exposed to the threat was 6.9 million, an amount just shy of half of the company’s reported customers. Because of an opt-in feature that allows DNA-related relatives to contact each other, the 5.5 million number of compromised customers was revealed. The other 1.4 million users’ family tree profiles were accessed via the DNA Relatives feature. Hackers sold 23andMe profiles for $1 to $10 per account that gave some details of genetic ancestry results.
Once 23andMe completed investigations with assistance from third-party forensics experts, the company commented its intent to notify affected customers in compliance with the law and its enhanced protection for customer data including password resets and requiring two-step verification for all customers. Although 23andMe did not update the new information of the breach’s scope in the SEC filing, 23andMe claimed it elaborated on the information in the 8-K filing by providing more specific numbers.
Change to Updated Terms of Service
On December 7th, 23andMe updated its terms of service related to dispute resolutions and arbitrations. Customers cannot sue the company individually or as a class to seek public injunctive relief for any irreparable harm. Instead, customers are automatically opted-in to the updated terms agreeing to arbitration of disputes on an individual basis in certain circumstances, unless a customer provides a written notice to opt out of the arbitration. The new terms also updated a new process for mass arbitration if 25 or more demands are filed relating to the same or similar subject matter with common issues of law or fact and counsel for the 25 or more parties are the same or coordinated.
The 23andMe blog provides customers and the public with news updates “Addressing Security Concerns.”