The genetic testing company 23andMe is currently facing three dozen class action lawsuits. The move is from customers who’ve had their personal information on the platform violated. The results of these suits have 23andMe on edge…
Yet, these are the consequences of their negligence of consumer safety. Here’s the rundown…
23andMe cybersecurity failure Results in Sensitive Data Stolen
For those who don’t know, 23andMe is a company that tests and evaluates customers’ DNA. Afterward, their profile displays medical information as well as ethnic and genetic history.
Normally, customers buy 23andMe kits to see what genetic information the results reveal. But most people completely undermined how sensitive the user data revealed can be…
Undervaluing this data is exactly what got the company into this catastrophic mess.
Since at least April of 2023, hackers have successfully accessed thousands of user accounts and their 23andMe results. It wasn’t until October of the same year that the company even realized there was a safety breach.
At first, the company confirmed that hackers stole data from 14,000 users. But soon after that, a spokesperson for 23andMe confirmed that the security breach affected more users. Specifically, users who’ve opted into a feature that allows users to connect with genetic relatives.
NOW, THE FIGURE IS LOOKING CLOSER TO 7 MILLION USERS AFFECTED. TO PUT IT IN PERSPECTIVE, THAT IS HALF OF ALL USERS ON 23ANDME.
The stolen data included the following user information:
- Names and profile images
- Addresses
- Health history including predisposition reports and carrier-status
- Genetic heritage
To make matters worse…
The hackers targeted accounts of individuals who had Chinese and Ashkenazi Jewish heritage.
The results of this breach put 23andMe users in a position of danger unlike any other.
NOW THAT STOLEN DATA IS UP FOR SALE ON DARK WEB FORUMS.
One of the class action lawsuits claims…
“Hackers placed those users in “specially curated lists” that could have been sold to individuals looking to do harm.”
You’d think that during a one-of-its-kind data breach, with massively dangerous implications for those victimized…
23andMe would respond in a professional, protective manner…
But the reality couldn’t be further from the truth.
23andMe’s Response
23andMe has, to put it lightly, not taken the situation well.
THE RESULTS OF 23ANDME’S MISCONDUCT? ENDLESS LEGAL FEES AND CLASS ACTION LAWSUITS.
There seems to be a trend of companies worth billions of dollars messing up in the most spectacular ways. Daily Harvest is another case study.
In an immediate action following the breach…
The company finally started requiring 2-factor authentication for their software…
A move that critics have been demanding for years by that point.
However, after the breach was disclosed to users…
23andMe sent letters to those who threatened legal action against the company.
The letters were sent mainly as damage control. They focused on two points:
- Despite the intimate information stolen, there is almost zero possibility of any real harm coming to the users. “The information that was potentially accessed cannot be used for any harm.”
- They claimed that the breach was due to customers who “negligently recycled and failed to update their passwords”
23andMe blamed the stolen information on its users for not changing their passwords often enough.
The hackers used a brute-force hacking technique called “credential stuffing”. This technique uses passwords associated with certain customers to break into the accounts.
This move by 23andMe resulted in thousands of critics across the tech industry wondering what inspired the company to mess up this badly.
A lawyer involved in one of the lawsuits stated,
“RATHER THAN ACKNOWLEDGE ITS ROLE IN THIS DATA SECURITY DISASTER, 23ANDME HAS APPARENTLY DECIDED TO LEAVE ITS CUSTOMERS OUT TO DRY WHILE DOWNPLAYING THE SERIOUSNESS OF THESE EVENTS,”
To complicate things further…
23andMe made changes in their terms of service which becomes suspicious considering the data breach.
Terms of Service Change
In an obvious move to try and avoid the inevitable wave of legal troubles…
Two days before the breach was disclosed to the public…
23andMe changed its terms of service. This made it more difficult for victims to file class action lawsuits and mass arbitration against the company.
Is this an act of divine timing or just the company trying to save themselves legal trouble? One thing this move isn’t is a coincidence.
Lawyers with experience in data breach victims commented that,
“THE CHANGES WERE “CYNICAL,” “SELF-SERVING” AND “A DESPERATE ATTEMPT” TO PROTECT ITSELF AND DETER CUSTOMERS FROM GOING AFTER THE COMPANY.”
The champions of blame-shifting, 23andMe denied the allegations and stated that…
“it made the changes to make resolutions for disputes occur faster.”
What Are The Potential Results For 23andMe?
The flurry of lawsuits, paired with the company’s recent history of missteps, could be the thing that knocks down 23andMe for good.
The potential implications of this data breach could put thousands of users at risk. The ethnicity-specific groupings could potentially be used to create a “hit list” in the worst scenario.
But beyond that, the data breach could mean users getting blackmailed and lead to serious identity theft.
The obvious neglect of consumer protection is going to ruin whatever reputation 23andMe has left…
But to be fair, 23andMe has been on a downward spiral even before the breach.
The company, which was valued at over $6 billion at its peak, is now worth $300 million and risks being delisted from the Nasdaq. They are at risk of running out of money by 2025.
In terms of the results of the lawsuits, 23andMe requested for all of the lawsuits to be consolidated in one giant trial. Rulings aren’t expected until March.
Conclusion
The results of the lawsuits could potentially spell a complete downfall for 23andMe.
Now, the company is dealing with the consequences of taking advantage of your credibility with customers. Many users are coming forward saying that they would’ve never signed up for the site if they had known how lax their security measures were.
Ultimately, 23andMe seemed to have forgotten that businesses are meant to provide value and solve problems for their customers…
Not create new ones.
Be Great,
GCTV Staff
Disclaimer: This content is intended to be used for educational and informational purposes only. Individual results may vary. You should perform your own due diligence and seek the advice from a professional to verify any information on our website or materials that you are relying upon if you choose to make an investment or business decision. Investment, real estate, and business involve great risk and there is no guarantee of performance or results.
We are not attorneys, investment advisers, accountants, tax professionals or financial advisers and any of the content presented should not be taken as professional advice. We recommend seeking the advice of a financial professional before you invest, and we accept no liability whatsoever for any loss or damage you may incur.
