Congressional Scrutiny, Lawsuits Target Genetics Testing Firm’s Privacy Practices
Genetics testing firm 23andme is facing intensifying scrutiny in the wake of a credential-stuffing hacking incident that leaked genetic ancestry information of potentially millions of customers. The company has been hit by at least 16 proposed U.S. federal class action lawsuits, and it has until Nov. 3 to respond to an inquiry by a high-ranking U.S. senator.
The proposed class action lawsuits seek monetary damages as well as an injunctive order for the California-based company – which has 14 million customers – to improve its data security practices.
Meanwhile, Sen. Bill Richards, R-La., ranking member of the Senate committee on health, education, labor and pensions and one of four physicians currently serving in the Senate, in an Oct. 20 letter grilled 23andMe CEO Anne Wojcicki, requesting her to respond by Nov. 3 to answer about a dozen questions about the breach and the company’s data protection practices.
“What search tools and algorithms does 23andMe use to allow large-scale downloads of user data based on specific demographics? How did hackers compile such a comprehensive list of impacted users to the dark web?” the senator asked.
“How was mass user data, allegedly hundreds of personal accounts per compromised user account, obtained by access to a few individual accounts?” he asked.
Threat actors earlier this month on the dark web claimed to have stolen “20 million pieces of code” from 23andMe. So far, leaked data that was put up for sale pertains to 23andMe users with certain DNA ancestry backgrounds, including 1 million lines of code about people with Ashkenazi Jewish DNA ancestry, 300,000 individuals with Chinese heritage, and in the latest leak reported by Bleeping Computer, 4.1 million genetic profiles for people in Great Britain and Germany.
23andMe earlier this month confirmed that it was investigating a credential-stuffing incident involving information scraped off the profiles of 23andMe users who opted in to using the company’s DNA Relatives feature. DNA Relatives connects 23andMe users with genetic distant relatives – or other 23andMe users who share bits of DNA (see: 23andMe Investigation Apparent Credential Stuffing Hack).
23andMe in a statement to Information Security Media Group on Thursday declined to comment on the lawsuits and Cassidy’s letter. The company also still maintained to ISMG its earlier position – as also reported to the U.S. Securities and Exchange Commission and relayed to customers in an Oct. 8 notice – that 23andMe “does not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.”
The proposed class action lawsuits so far – all filed in the same Northern California federal court between Oct. 9 and Oct. 24 – allege similar claims, including that highly sensitive information entrusted to 23andMe by the plaintiffs and millions of class member customers are in the hands of cybercriminals, putting them at risk for identity theft and fraud crimes due to the company’s negligence in failing to protect the highly personal data.
Some of the lawsuits also allege that the incident puts individuals at risk for discrimination and hate crimes because of leaked information about their genetic ancestry.
“Given the fact that this breach specifically targeted those with Ashkenazi Jewish ancestry and in a climate of rising anti-Semitism, that anxiety and the compromised privacy are even more acute,” alleges the lawsuit complaint filed on Oct. 19 by lead plaintiff David Tulchinsky.
Are Passwords the Problem?
Privacy attorney Adam Greene, who is not involved in the 23andMe case, said the proposed class actions against 23andMe most likely will be resolved through settlements rather than court decisions.
But in the course of the litigation and fallout, the incident shines a spotlight on several critical issues involving the 23andMe incident and similar hacks.
“I think that this incident raises an important legal question for a court to resolve that strikes at the heart of our current password ecosystem,” he said.
“Is it reasonable for technology companies to rely on passwords alone when authenticating individuals? Or do technology companies have to build their security around the assumption that consumers will recycle passwords and such passwords will become compromised over time?” said Greene of the law firm Davis Wright Tremaine.
“The answer to this question could have a profound impact on how logins across the Internet works.”
Financial Impact to be Determined
23andMe in an Oct. 11 filing with the SEC said the company is still discerning the implications of the incident. “At this time, 23andMe is unable to predict the costs and magnitude of those consequences,” the company told the SEC.
The firm said it has retained third-party forensic experts to assist in an investigation of the cause and scope of the incident, and in mitigating and remediating the impact.
“23andMe is fully cooperating with federal law enforcement in relation to this incident. 23andMe is currently working to confirm the scope of data accessed, and is investigating the nature of the personal data in question and any related legal obligations,” the company told the SEC.
For the 2023 fiscal year ended March 30, 23andMe reported net revenue of $299 million and a net loss of $312 million. The company attributed the net loss to an increase in operating expenses compared with the prior year, including increased headcount and salaries related in part to the $400 million acquisition in 2021 of a telemedicine business, Lemonaid Health.
23andMe is scheduled to announce its fiscal 2024 second quarter results on Nov. 8.