California Lawsuit Targets 23andMe Over 2023 Data Breach

Post Views: 7

California Sues 23andMe for Failing to Protect User Data in 2023 Breach

The state of California has taken 23andMe, a prominent genetic testing company, to court for allegedly failing to safeguard sensitive user data in a 2023 breach that compromised nearly 7 million individuals.

According to the complaint, 23andMe neglected to implement basic security measures to prevent the breach, which involved “credential stuffing” – a tactic that exploits customers’ habit of using weak or common passwords.

The breach occurred when hackers utilized stolen user account credentials obtained from a 2017 data breach at MyHeritage, one of 23andMe’s former partners. Despite this, 23andMe did not prompt customers to reset their passwords or adopt multi-factor authentication, leaving them vulnerable to exploitation.

The attackers operated undetected within 23andMe’s systems for over five months, only detected when the stolen data was posted for sale on the dark web and the company was approached by the threat actor demanding a ransom.
The stolen data included sensitive information such as raw genetic data, health reports, and location and birth year details of relatives.
The lawsuit alleges that 23andMe misled consumers regarding the severity of the breach and the company’s role in it, despite acknowledging that the breach had occurred in October 2023.
Additionally, the company failed to properly investigate red flags, such as a suspicious spike in user login attempts in July and a post discussing a possible breach and sale of user data in August.

Genetic data, which is considered particularly sensitive due to its unique nature, requires “one of the highest levels of protection.” California law mandates a heightened legal obligation to safeguard such data.

Lawsuit Details

The lawsuit seeks various civil penalties against 23andMe and injunctive relief to prevent future violations of California’s privacy protection laws.

Separately, 23andMe agreed to pay a $30 million settlement in a class-action lawsuit related to the breach, which was later increased to $50 million to resolve most U.S. customer claims. This settlement was approved by a federal judge overseeing 23andMe’s bankruptcy proceedings.

Importance of Security Measures

The case highlights the importance of robust security measures in protecting sensitive user data, particularly in industries handling genetic information.

It also underscores the need for companies to prioritize transparency and accountability in responding to data breaches and respecting consumer trust.