Genetic testing company 23andMe is accused in a class action lawsuit of failing to protect the privacy of customers whose personal information was exposed in a data breach last year that affected nearly seven million profiles.
The lawsuit, filed Friday in federal court in San Francisco, also accused the company of failing to inform customers of Chinese and Ashkenazi Jewish backgrounds that they appeared to have been targeted or that their personal genetic information was in ““ were compiled. “specially curated lists” that were shared and sold on the dark web.
The lawsuit was filed after 23andMe submitted a notice to the California Attorney General's Office indicating that the company was hacked over the course of five months, from late April 2023 to September 2023, before it became aware of the breach. According to the filing reported by TechCrunch, the company learned of the breach on October 1, when a hacker on an unofficial 23andMe subreddit claimed to have customer data and shared a sample as evidence.
The company first revealed the breach on October 6 in a blog post that said a “threat actor” gained access to “certain accounts” by using “recycled credentials” – old passwords that 23andMe customers had had used other websites that had been compromised.
The company disclosed the full extent of the breach in an updated blog post on December 5, after completing an internal review with assistance from “third-party forensic experts.” At that point, users' personal genetic information and other sensitive material had been made available and offered for sale on the dark web for two months, according to Eli Wade-Scott, an attorney for the plaintiffs.
23andMe did not immediately respond to requests for comment on the lawsuit.
Jay Edelson, another attorney representing the plaintiffs, said 23andMe's approach to privacy and the resulting lawsuit signaled “a paradigm shift in consumer privacy law” as the sensitivity of breached data has increased.
“As we look at data breaches now, our first concern will be whether the information will be used to systematically and en masse physically harass or harm people,” Mr. Edelson said in an email Friday. “The standard for when a company will act appropriately to protect data is now higher, at least for the type of data that can be used in this way.”
A father of two in Florida, one of the lawsuit's two named plaintiffs, said in an interview that the 23andMe kit he bought as a birthday present last year showed he was of Ashkenazi Jewish ancestry. The man, identified in the complaint only by his initials, JL, spoke on condition of anonymity because he said he feared for his safety.
He wanted to connect with relatives, he said, so he decided on a feature called DNA Relatives, which shares select information with other 23andMe customers who may be a good genetic match.
The hacker gained access to this feature and information from 5.5 million DNA relative profiles, 23andMe said in December. Profiles can include a customer's geographic location, year of birth, family tree, and uploaded photos.
The hacker was also able to access the profile information of an additional 1.4 million customers by accessing a feature called “Family Tree.”
After 23andMe informed JL and millions of other users that their data had been breached, JL said he feared he could become a target as anti-Semitic hate speech and violence increased, fueled by the conflict between Israel and Gaza.
“Now that the information is out there,” he said, “someone might come in and decide they're going to let their frustrations out.”
On Oct. 1, a hacker who called himself “Golem” and used an image of Gollum from the “Lord of the Rings” films as an avatar leaked the personal information of more than 1 million 23andMe users of Jewish descent on BreachForums, according to the lawsuit , an online forum used by cybercriminals. The data included users' full names, home addresses and dates of birth.
Later, Golem responded to a request on the forum to access “Chinese accounts” from someone using the pseudonym “Wuhan” with a link to the profile information of 100,000 Chinese customers, the lawsuit says. Golem said it had a total of 350,000 profile records of Chinese customers and had offered to release the rest of them if there was interest, the lawsuit says.
On October 17, Golem returned to the forum and said he had data on “wealthy families serving Zionism” that he had put up for sale after the deadly explosion at Al-Ahli Arab Hospital in Gaza City, according to the statement of claim. Israeli officials and Palestinian militants blamed each other for the explosion, but Israeli and American intelligence agencies claim it was caused by a failed Palestinian rocket launch.
The plaintiffs are seeking a jury trial and unspecified compensatory, punitive and other damages.
“The current geopolitical and social climate,” the lawsuit says, “increases the risks” to users whose data was exposed. Rep. Josh Gottheimer, Democrat of New Jersey, called for an FBI investigation into the breach earlier this month, noting the focus was on Ashkenazi Jews.
“The leaked data could enable Hamas, its supporters and various international extremist groups to target the American Jewish population and their families,” Mr. Gottheimer wrote in a letter to Christopher Wray, the FBI director.
Ramesh Srinivasan, a professor in the information sciences department at the University of California, Los Angeles, said it was inevitable that such breaches would continue.
The question, he said, is whether companies will address these problems with serious precautions – for example, by tightening security or limiting data storage – or whether they will simply apply a band-aid by promising to do better next time close.
“We are staring into the abyss when it comes to the datafication of our lives,” he said.