Genetics testing company 23andMe, has emailed customers to alert them to a data breach. The security violation involves the DNA Relatives feature that allows customers to compare ancestry information with other users. The compromised data includes:
Millions of customers could be affected, but 23andMe has not offered victims any credit monitoring or identity protections following the breach. Instead, the company has encouraged users to strengthen their passwords and enable multi-factor authentication.
Following the hack, customers of 23andMe have taken to social media to share concerns that their sensitive data could be used against them. These worries are not unfounded because the hackers are now offering the assembled genetic information of thousands of people for sale on the dark web. According to media reports, this includes sale lists for people with Chinese and Ashkenazi Jewish ancestry, leading to concerns over how this data could be used.
Unlike in other high-profile data breaches, on this occasion the hackers did not target the company’s servers. Instead, they targeted hundreds of individual user accounts using login credentials from previously compromised websites. This technique is called ‘credential stuffing’. After gaining access to some user accounts, the hackers then leveraged DNA matches to obtain information about thousands of other people.
Concerningly, 23andMe also stores genetic information about the relatives of some of its users, even if these relatives didn’t send a sample or consent to any data collection. As such, the ramifications of this breach could be considerable.
In the wake of the 23andMe data breach, several actions have been launched in the US against the genetic testing company. Complaints include negligence, invasion of privacy, breach of contract, unjust enrichment, and other claims. There are also allegations that 23andMe’s response to the hack was deficient.
We are investigating this incident to find out how it affects users and their relatives in England & Wales. If you receive notification of your involvement in this breach, sign up below to join our no-win, no-fee action and receive updates on this case.
In our regular update, we provide a roundup of some of the data breaches and… Read More
We have launched a group action against MOVEit/Zellis. Group actions can be a powerful tool… Read More
The number of organisations affected by the MoveIt Data Breach is still rising, despite the… Read More
We have launched a group action against 23andMe. Group actions can be a powerful tool… Read More
The Information Commissioner’s Office (ICO) has launched a joint investigation into the 23andMe data breach… Read More
We have launched a group action against Capita. Group actions can be a powerful tool… Read More