The news is by your side.

23andMe's breach targeted Jewish and Chinese customers, the lawsuit said

Tech & Gadgets
0

Genetic testing company 23andMe is accused in a class-action lawsuit of failing to protect the privacy of customers whose personal information was exposed last year in a data breach that affected nearly seven million profiles.

The lawsuit, filed Friday in federal court in San Francisco, also accused the company of failing to notify customers of Chinese and Ashkenazi Jewish descent that they appeared to be specifically targeted, or that their personal genetic information had been collected into “specially curated lists” that were shared and sold on the dark web.

The lawsuit was filed after 23andMe filed a report with the California Attorney General's Office that revealed the company had been hacked over the course of five months, from late April 2023 to September 2023, before becoming aware of the breach. According to the report, that was the case reported by TechCrunchthe company learned about the breach on October 1, when a hacker posted to an unofficial 23andMe subreddit claiming to have customer data and sharing a sample as proof.

The company first disclosed the breach in a blog post on Oct. 6, saying a “threat actor” had gained access to “certain accounts” by using “recycled credentials” – old passwords that 23andMe customers had used on other sites that had been compromised.

The company announced the full extent of the breach in an updated blog post on December 5, after completing an internal review assisted by “external forensic experts.” By then, users' personal genetic information and other sensitive material had already been available and offered for sale on the dark web for two months, according to Eli Wade-Scott, attorney for the plaintiffs.

23andMe did not immediately respond to requests for comment about the lawsuit.

Jay Edelson, another attorney representing the plaintiffs, said 23andMe's approach to privacy and the resulting lawsuit signaled “a paradigm shift in consumer privacy law” as the sensitivity of breached data has increased.

“As we look at data breaches now, our primary concern will be whether the information will be used to physically harass or harm people on a systematic, mass scale,” Mr. Edelson said in an email on Friday. “The standard for when a company acts reasonably to protect data is now higher, at least for the type of data that can be used in this way.”

A father of two in Florida, one of two named plaintiffs in the lawsuit, said in an interview that the 23andMe kit he bought as a birthday gift for himself last year revealed that he had Ashkenazi Jewish heritage. The man, identified in the complaint only by his initials, JL, spoke on condition of anonymity because he said he feared for his safety.

He wanted to connect with family members, he said, so he turned to a feature called DNA Relatives, which shares select information with other 23andMe customers who might be a close genetic match.

The hacker gained access to this feature and information from 5.5 million DNA relative profiles, 23andMe said in December. The profiles can include a customer's geographic location, year of birth, family tree and uploaded photos.

The hacker also gained access to the profile information of an additional 1.4 million customers through a feature called Family Tree.

After 23andMe informed JL and millions of other users that their data had been breached, JL said he feared he could be targeted as anti-Semitic hate speech and violence increased, fueled by the Israel-Gaza conflict.

“Now that the information is out,” he said, “someone could come in and decide they're going to express their frustrations.”

According to the lawsuit, on Oct. 1, a hacker calling himself “Golem” and using an image of Gollum from the “Lord of the Rings” films as an avatar leaked the personal information of more than 1 million 23andMe users of Jewish descent on BreachForums , an online forum used by cybercriminals. The data includes users' full names, home addresses and dates of birth.

Later, in response to a forum request for access to “Chinese accounts” of someone using the alias “Wuhan,” Golem responded with a link to the profile information of 100,000 Chinese customers, the lawsuit said. Golem said he had a total of 350,000 profile data from Chinese customers and offered to release the rest if there was interest, the lawsuit said.

On October 17, Golem returned to the forum to say that he had data on “rich families serving Zionism” that he was offering for sale in the aftermath of the deadly explosion at Al-Ahli Arab Hospital in Gaza City, according to the indictment. Israeli officials and Palestinian militants blamed each other for the explosion, but Israeli and US intelligence agencies claim it was caused by a failed Palestinian rocket launch.

The plaintiffs are seeking a jury trial and unspecified compensatory, punitive and other damages.

“The current geopolitical and social climate,” the lawsuit argued, “increases the risks” to users whose data was exposed. Representative Josh Gottheimer, Democrat of New Jersey, called for an FBI investigation in the breach earlier this month, noting the focus on Ashkenazi Jews.

“The leaked data could enable Hamas, its supporters, and various international extremist groups to target the American Jewish population and their families,” Mr. Gottheimer wrote in a letter to Christopher Wray, the FBI director.

Ramesh Srinivasan, a professor of information studies at the University of California, Los Angeles, said it was inevitable that these types of breaches would continue.

The question, he said, is whether companies will address these problems by taking serious precautions — for example, tightening security or limiting data retention — or whether they will simply apply a Band-Aid by promising to fix it next time. will do better times.

“We are staring into the abyss when it comes to the datafication of our lives,” he said.

You might also like More from author

Leave A Reply

Your email address will not be published.