Genetic testing company 23andMe is now grappling with a class-action lawsuit accusing it of inadequately safeguarding the privacy of nearly seven million customers whose personal information was exposed in a data breach in 2023. Filed in federal court in San Francisco, the lawsuit alleges that 23andMe failed to notify customers with Chinese and Ashkenazi Jewish heritage, revealing that these individuals were specifically targeted. The breach, affecting millions, unfolded over five months from late April 2023 through September 2023, only coming to the company's attention on October 1, 2023.
The lawsuit contends that 23andMe, in its notification to the California Attorney General’s Office, disclosed the breach after it had already taken place. The company initially disclosed the breach on October 6, attributing unauthorized access to "recycled login credentials" or old passwords reused from other compromised sites. However, the complete extent of the breach was not divulged until December 5, 2023, after an internal review assisted by third-party forensics experts.
The class-action lawsuit alleges that 23andMe's breach exposed personal genetic information and other sensitive data, which was subsequently made available and offered for sale on the dark web for two months. The plaintiffs argue that the company not only failed to adequately protect user data but also neglected to inform affected customers promptly.
Two named plaintiffs, including a father of two in Florida identified as J.L., expressed concerns about potential risks to their safety after learning about the breach. J.L., who purchased a 23andMe kit to explore his Ashkenazi Jewish heritage, found that his information, along with that of millions of others, was part of the compromised data.
The lawsuit also details the activities of the hacker, known as "Golem," who reportedly targeted users with Jewish ancestry and Chinese accounts. The hacker shared personal data, including full names, home addresses, and birth dates, on online forums. The plaintiffs argue that the current geopolitical and social climate amplifies the risks for users whose data has been exposed.
Legal experts view this lawsuit as a significant development in consumer privacy law, emphasizing a heightened standard for companies to protect sensitive data that could be used for targeted harassment or harm. The plaintiffs are seeking a jury trial and unspecified compensatory, punitive, and other damages, reflecting the serious implications of the alleged privacy breach.
As concerns about data breaches persist, experts highlight the need for companies to take serious precautions, such as tightening security and limiting data retention, to address the growing challenges associated with the increasing datafication of our lives.