In the wake of the recent 23andMe data breach that impacted millions of customers, new legal action is now being pursued against the genetic testing company. Four class action lawsuits were filed in the past week on behalf of 23andMe users whose personal and health data was compromised in the breach.
The first suit was filed on October 9th in California federal court. The complaint alleges negligence, invasion of privacy, breach of contract, and other claims against 23andMe for failing to properly secure customer data. It states that hackers who exploited recycled credentials accessed names, birthdates, ancestry results, photos, locations, and other sensitive information.
A second class action was filed on October 11th, also in California. The allegations echo those of the first case—that 23andMe did not adequately safeguard private customer data, leading to the breach. The complaint asserts additional claims, including breach of implied contract, unjust enrichment, and violations of California privacy laws.
Two other lawsuits were also filed (Andrizzi and Lamons), though they all criticize 23andMe's notification of the breach as deficient, lacking key details on the timeline, the extent of accessed data, and how the hack occurred in the first place. They also allege that 23andMe has not offered victims any credit monitoring or identity protections following the breach.
The suits seek various remedies, including financial compensation for victims, improved data security at 23andMe, and injunctive relief mandating reforms to prevent future incidents.
A particularly alarming aspect of the 23andMe breach is that it appears to have specifically targeted users of Ashkenazi Jewish descent. Reports indicate that profiles of nearly one million individuals with Ashkenazi heritage were compiled by the hackers and offered for sale online.
This raises serious concerns about the motivations behind the breach and how the genetic data could potentially be misused for nefarious purposes. By focusing on a particular ethnic group, the perpetrators added a troubling dimension to the data security incident.
The class action suits argue 23andMe failed in its obligations to protect all customers' personal information regardless of heritage or ethnicity. The targeting of Ashkenazi Jews further underscores the sensitivity of the genetic data entrusted to 23andMe and the harm that can ensue when such data is stolen.
23andMe previously stated it had found no evidence its own systems were breached, yet hackers exploited recycled credentials to access individual accounts. 23andMe claims to exceed industry cybersecurity standards, and has encouraged users to strengthen passwords and enable multi-factor authentication.
The pending legal action highlights the substantial fallout from the 23andMe breach, which involves highly sensitive genetic and health data. As the lawsuits progress, the proceedings will likely explore whether the company did enough to safeguard customer information and respond appropriately once the incident was discovered.
Follow SecureWorld News for more stories related to cybersecurity.