The hacking that started with 14,000 records and grew to exposing the records and personally identifiable information (PII) of 6.9 million users, about half their customer database, has spawned over 30 class action lawsuits in the US, plus lawsuits in Ontario and British Columbia, Canada. 23andMe, in their responses to law firms and on their blog, told lawyers and users–not unexpectedly–that the data breaches were due to 23andMe users recycling log in credentials, such as passwords, that were used on other–breached–websites, and failed to update them on 23andMe after these incidents.
However, as this Editor noted when this first broke in December, this credential stuffing doesn’t account for the targeting nor the hacking of users who claimed they had unique credentials, including the US National Security Agency (NSA) cybersecurity director Rob Joyce who creates a unique email for each of his accounts (!). It also doesn’t account for how 14,000 brute-force hacked records grew exponentially to 6.9 million records. One reason may be data sharing with a partner, MyHeritage, in adding functionality to Family Tree, or sharing their information by opting into 23andMe’s DNA Relatives feature.
It also does not account for how 23andMe squarely blamed users–that they were negligent in whatever passwords they used, that two-factor authentication was available since 2019 (but optional), that the information taken didn’t include highly sensitive information such as Social Security number, driver’s license number, or financial information. Therefore any lawsuits were futile, per a letter from 23andMe’s Greenberg Traurig to one of the class action firms, Tycko & Zavareei LLP. Afterwards, 23andMe reset all passwords and instituted mandatory multi-factor authentication, closing the barn door after the horse, cow, and goat got out and made it to the next county.
Playing into this is the weakness of US law around what constitutes ‘reasonable security procedures’ for securing personal information–and that is from the wording of the California Privacy Rights Act (CPRA), which may be the US’ toughest privacy law. On one hand, users have responsibility for a decent, unique password every time–but on the other hand, 23andMe bears responsibility for securing its shared data and not letting a breach get wildly out of hand like this one did. And what if next time it’s the actual DNA information?
The insult to injury: In December, 23andMe changed their terms of service to essentially indemnify themselves. Users had to agree, in the terms of service, exactly 30 days to opt out of the right to participate in a class action lawsuit and instead submit to private arbitration in the event of a dispute.