Victims are still arguing that 23andMe’s security measures were inadequate.
23andMe is “shamelessly” blaming victims of a data breach impacting 6.9 million users, a lawyer representing victims pursuing a class-action lawsuit, Hassan Zavareei, told TechCrunch.
Zavareei shared a letter from 23andMe lawyers that urged users suing to “consider the futility of continuing to pursue an action in this case,” because their claims are allegedly meritless and “the information that was potentially accessed cannot be used for any harm.”
Last year, hackers accessed 14,000 accounts on 23andMe by using passwords that had been previously breached during security incidents on other websites. By using this tactic, known as credential stuffing, hackers could access the personal data of millions of 23andMe users who opted into a DNA Relatives feature, including genetic information like the percentage of DNA shared with compromised users.
While 23andMe claimed that the case had no merits, the courts have not yet weighed the many questions raised by users suing the company over alleged harms. In December, a US District Court in Illinois found that more than 100 users represented by Zavareei’s firm had “plausibly” demanded damages that exceeded $5 million. Those victims have alleged that 23andMe owed them compensation for the loss of the value of their personally identifiable information, costs of “remediating the impacts of the breach,” and emotional distress. Victims also want the court to order 23andMe to disgorge all profits retained by its “failed promise to safeguard their data.”
So far, 23andMe has been hit with more than 30 lawsuits filed in US federal and state courts, as well as courts in British Columbia and Ontario, Canada, as a result of the breach, suggesting that 23andMe could end up owing much more than $5 million. Due to the number of victims suing, there is an effort to consolidate these cases through multidistrict litigation to decrease the burden on courts.
Did 23andMe do enough to safeguard data?
In the class action filed by Zavareei’s firm, more than 100 victims have accused 23andMe of violating various state laws, including the California Privacy Rights Act (CPRA)—considered the US’s toughest consumer privacy law.
Under the CPRA, businesses that collect sensitive data must provide “reasonable security procedures,” but the law remains vague and does not stipulate what’s considered reasonable.
“A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure,” the law says.
This vagueness has seemingly left room for 23andMe to argue that users who “negligently recycled and failed to update their passwords” following “past security incidents” were to blame for the breach, and “therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA.”
“The incident was a result of users’ failure to safeguard their own account credentials, for which 23andMe bears no responsibility,” 23andMe’s letter said.
But Zavareei told TechCrunch that 23andMe’s “finger-pointing is nonsensical.” Zavareei offered a different legal interpretation of what should have been considered “reasonable security procedures” for a website collecting data so sensitive, it’s sometimes considered more valuable on the black market, like health and genetic data.
“23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing—especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform,” Zavareei said.
Further, Zavareei argued that the majority of victims are completely blameless and only had their data “exposed through the DNA Relatives feature on 23andMe’s platform, not because they used recycled passwords.”
“Of those millions, only a few thousand accounts were compromised due to credential stuffing,” Zavareei told TechCrunch. “23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever.”
In the letter, 23andMe argued that the majority of users impacted were not harmed. According to 23andMe, “profile information that may have been accessed related to the DNA Relatives feature” could “not have been used to cause pecuniary harm” because “it did not include” users’ social security numbers, driver’s license numbers, or any payment or financial information.
To Zavareei, it seems clear that 23andMe could’ve done more to safeguard data because they have already made substantial updates to security procedures on the site. Following the breach, 23andMe reset all users’ passwords and required multifactor authentication that was previously optional. However, according to 23andMe’s lawyers, these updates have already “remediated” any violations that occurred, and that could potentially make it harder for users to use.
“We trust this resolves this matter,” 23andMe’s lawyers told victims suing, but regardless of what happens in Zavareei’s clients’ suit, the ancestry company seems to expect more backlash from users still grappling with how to safeguard their data after the breach.
23andMe users blamed for breach remain confused
In December, 23andMe updated its terms of service (TOS), giving users 30 days to opt out of a condition requiring them to waive rights to raise class-action lawsuits against 23andMe and instead resolve disputes through private arbitration.
Officially, 23andMe told users that this was done “to include procedures that will encourage a prompt resolution of any disputes and to streamline arbitration proceedings where multiple similar claims are filed.” But lawyers told TechCrunch that the TOS update appeared to be a “cynical” and “self-serving” attempt to “deter customers from going after the company.” By forcing users into arbitration, 23andMe would also seemingly spare substantial litigation costs and save face by avoiding public hearings.
Meanwhile, seemingly past the point of opting out of the class-action waiver, some users expected to take the blame for the breach still appear confused about what happened.
In a 23andMe subreddit, a self-described 23andMe user posted an email allegedly recently sent by 23andMe, notifying that user that their account had been compromised due to credential stuffing.
The email appeared to serve as 23andMe’s way of notifying the user directly that they were to blame for the breach. It said that “the threat actor was able to gain access to your account because the username and password that you used on 23andMe.com were the same as those that you used on other websites that were previously compromised or otherwise available,” a screenshot of 23andMe’s email showed.
“Did anyone else just receive this email regarding the data breach?” the Reddit user asked. “Don’t know if this is only about my account or if they sent it to everyone.”
Another user on the thread claimed that after receiving the email, they could not log into their account.
One responder suggested that 23andMe blamed users for the breach because the company was “trying to cover their backside as a bunch of lawsuits have been brought against them.”
“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Zavareei told TechCrunch.
23andMe did not respond to Ars’ request to comment.
Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.
