Genetics testing company 23andMe, has emailed customers to alert them to a data breach. The security violation involves the DNA Relatives feature that allows customers to compare ancestry information with other users. The compromised data includes:
Millions of customers could be affected, but 23andMe has not offered victims any credit monitoring or identity protections following the breach. Instead, the company has encouraged users to strengthen their passwords and enable multi-factor authentication.
Following the hack, customers of 23andMe have taken to social media to share concerns that their sensitive data could be used against them. These worries are not unfounded because the hackers are now offering the assembled genetic information of thousands of people for sale on the dark web. According to media reports, this includes sale lists for people with Chinese and Ashkenazi Jewish ancestry, leading to concerns over how this data could be used.
Unlike in other high-profile data breaches, on this occasion the hackers did not target the company’s servers. Instead, they targeted hundreds of individual user accounts using login credentials from previously compromised websites. This technique is called ‘credential stuffing’. After gaining access to some user accounts, the hackers then leveraged DNA matches to obtain information about thousands of other people.
Concerningly, 23andMe also stores genetic information about the relatives of some of its users, even if these relatives didn’t send a sample or consent to any data collection. As such, the ramifications of this breach could be considerable.
In the wake of the 23andMe data breach, several actions have been launched in the US against the genetic testing company. Complaints include negligence, invasion of privacy, breach of contract, unjust enrichment, and other claims. There are also allegations that 23andMe’s response to the hack was deficient.
We are investigating this incident to find out how it affects users and their relatives in England & Wales. If you receive notification of your involvement in this breach, sign up below to join our no-win, no-fee action and receive updates on this case.
We have launched a group action against Capita. Group actions can be a powerful tool… Read More
Here are some of the questions our data protection experts have been asked about our… Read More
We have launched a group action against 2plan. Group actions can be a powerful tool… Read More
What happened in the 2plan data breach? Find out in our latest blog and claim… Read More
We have launched a group action against Southern Water. Group actions can be a powerful… Read More
Here are some of the questions we have been asked about our Southern Water data… Read More