23andMe Breach Targeted Jewish and Chinese Customers, Lawsuit Says

23andMe Breach Targeted Jewish and Chinese Customers, Lawsuit Says

The class-action suit said the genetic testing company failed to notify customers whose personal information was compiled into “curated” lists that were sold on the dark web.

The genetic testing company 23andMe is being accused in a class-action lawsuit of failing to protect the privacy of customers whose personal information was exposed last year in a data breach that affected nearly seven million profiles.

The lawsuit, which was filed on Friday in federal court in San Francisco, also accused the company of failing to notify customers with Chinese and Ashkenazi Jewish heritage that they appeared to have been specifically targeted, or that their personal genetic information had been compiled into “specially curated lists” that were shared and sold on the dark web.

The suit was filed after 23andMe submitted a notification to the California Attorney General’s Office that showed the company was hacked over the course of five months, from late April 2023 through September 2023, before it became aware of the breach. According to the filing, which was reported by TechCrunch, the company learned about the breach on Oct. 1, when a hacker posted on an unofficial 23andMe subreddit claiming to have customer data and sharing a sample as proof.

The company first disclosed the breach in a blog post on Oct. 6 in which it said that a “threat actor” had gained access to “certain accounts” by using “recycled login credentials” — old passwords that 23andMe customers had used on other sites that had been compromised.

The company disclosed the full scope of the breach in an updated blog post on Dec. 5, after the completion of an internal review assisted by “third-party forensics experts.” By that time, according to Eli Wade-Scott, a lawyer for the plaintiffs, users’ personal genetic information and other sensitive material had been made available and offered for sale on the dark web for two months.

23andMe did not immediately respond to requests for comment about the lawsuit.

Jay Edelson, another lawyer representing the plaintiffs, said 23andMe’s approach to privacy and the resulting lawsuit signaled “a paradigm shift in consumer privacy law” as the sensitivity of breached data has increased.

We are having trouble retrieving the article content.

Please enable JavaScript in your browser settings.

Thank you for your patience while we verify access. If you are in Reader mode please exit and log into your Times account, or subscribe for all of The Times.

Thank you for your patience while we verify access.

Already a subscriber? Log in.

Want all of The Times? Subscribe.

Discover more from WIREDGORILLA

Subscribe now to keep reading and get access to the full archive.

Continue reading