Communications Litigation Today was a Warren News publication.
'Too Little, Too Late'

23andMe Didn't Disclose Targeting of Jewish, Chinese Data Breach Victims: Suit

When 23andMe made several announcements about a data breach in October, it didn’t disclose that hackers who infiltrated its computer network “were after the personal information of Jewish and Chinese customers,” alleged a class action Friday (docket 3:24-cv-01418) in U.S. District Court for Northern California in San Francisco. 23andMe customer Rudy Thompson filed the complaint.

The breaches and “specific targeting of persons of Jewish and Chinese descent" have raised "the distinct possibility that such customers and Class members could become targets of antisemitic hate speech,” said the complaint, citing a recent surge in violence and hate speech fueled by the ongoing Israel-Hamas war.

Customers’ ancestry information “is already being sought out and allegedly used by hackers” to target class members “as retaliation for Israel’s response” to Hamas’ Oct. 7 attack on Israel, said the complaint, citing an Oct. 17 internet forum post by a hacker called Golem, who claimed he had data about “wealthy families serving Zionism” that he was offering for sale in the aftermath of the deadly explosion at Al-Ahli Arab Hospital in Gaza City.

On Oct. 6, 23andMe disclosed in a blog it “recently learned” that a release of customer profile information shared through its DNA Relatives feature had occurred without account users’ authorization, said the complaint. The company began an investigation “immediately” and believed the threat actors were able to access 14,000 accounts where users “recycled login credentials,” a practice known as “credential stuffing,” it said. 23andMe recommended that users have strong passwords and enable two-factor authentication, it said.

The company updated the blog Oct. 9 on actions it had taken in response to the breach and required customers to reset their passwords, said the complaint. An Oct. 10 8-K filing with the SEC said “certain” profile information and accounts were accessed through credential stuffing but didn’t provide details of the breach, said the complaint. On Oct. 20, 23andMe said it temporarily disabled some features within the DNA Relatives tool; on Nov. 6, the company began requiring all customers to use two-step verification, it said.

This was all too little, too late,” said the complaint. The initial blog posts and SEC filing didn’t say how unauthorized third parties were able to access private information, “that the hackers had specifically targeted customers of Jewish and Chinese descent,” what private information was compromised, and how many people were affected by the breach, said the complaint. “Reasonable steps to remedy the situation were slow, or non-existent,” it said.

In fact, the stolen data had been “circulating for months” before 23andMe’s first October disclosure to users, said the complaint. The defendant didn’t disclose how many users were affected by the breach, but hackers began selling data “that appeared to be misappropriated from millions of users,” the complaint said. On Aug. 11, a hacker on cybercrime forum Hydra claimed to be selling 300 terabytes of stolen 23andMe user data for $50 million, or $1,000-$10,000 for a subset of data, it said. Reddit alerted users to the 23andMe breach Aug. 11, but 23andMe “failed to monitor normal channels or chose not to act in response to the Hydra and Reddit posts,” it said.

On Oct. 1, Golem published on hacking platform BreachForums the alleged data of 1 million users of Jewish Ashkenazi descent and 100,000 Chinese users, asking $1-$10 per account, the complaint said. Data included 23andMe DNA and profile data, full names, home addresses, birth dates and ancestry, it said. Subsequent Golem posts advertised pricing for “origin estimation, phenotype and health information, photos and identification data, raw data,” and 23andMe users’ last login dates. Another pitched “[t]ailored ethnic groupings,” “pinpointed origin estimations, haplogroup details," photographs, links to “hundreds of potential relatives, and most crucially raw data profiles,” it said.

In 23andMe’s latest disclosure to the California attorney general, it revealed that hackers started breaking into customers’ accounts in April “and continued through most of September,” said the complaint. The data breach described in the California disclosure “is much worse than originally reported or described,” the complaint said, citing data breach dates of April 29 and Sept. 27. The body of the notice said 23andMe “believe[s] a threat actor orchestrated a credential stuffing attack during the period from May 2023 through September 2023,” yet the company’s notice "still identifies October 1, 2023 as the operative incident date that triggered 23andMe’s investigation,” it said.

23andMe’s website “was flawed” in design because it was possible to “freely access customer information just by typing a profile ID into the URL,” said the complaint. The ancestry platform shifted blame to customers for “negligently” failing to update their passwords, and while users do have an obligation to follow security practices to keep their information safe, “companies also have a responsibility to protect their customer’s sensitive data,” the complaint said.

Customers trusted the company with their personal information, “much of which was necessary to access the service,” said the complaint. The breach affected millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe’s platform, “not because they used recycled passwords,” said the complaint. Of those millions, “only a few thousand accounts were compromised due to credential stuffing,” it said.

By maintaining “insecure data practices and then failing to inform their customers about the scope and danger of the leak, and further failing to provide their customers with any remedy, 23andMe has repeatedly let down its customers and exposed them to heightened risk for harassment, financial fraud, medical fraud, and identity theft for years to come,” said the complaint.

Before 23andMe sent notices Dec. 5 to the 7 million customers affected by the breach, it “changed its terms and conditions" on Nov. 30 to add arbitration requirements that would “make it more difficult for the victims of the data breach to bring class actions or mass arbitrations,” said the complaint. Updated terms created an initial dispute resolution period in which customers have to “talk to 23andMe one-on-one before filing an arbitration claim,” it said. Terms also now “compel customers to negotiate a dispute for 60 days before filing an arbitration claim,” it said.

Plaintiff Thompson opted out of the company’s “attempt to deprive” him of his right to bring the class action, said the complaint. Among his 14 claims are violations of California’s Comprehensive Computer Data Access and Fraud, Customer Records, and Consumers Legal Remedies acts; negligence; breaches of contract, implied covenant of good faith and fair dealing, and fiduciary duty; and violations of Alaska, California, Illinois and Oregon privacy statutes.

Thompson requests on behalf of himself and the class declaratory and injunctive relief; awards of compensatory, statutory and punitive damages; pre- and post-judgment interest; and attorneys’ fees and legal costs.