Tuesday, March 5

23andMe breach targeted Jewish and Chinese customers, lawsuit says

Genetic testing company 23andMe is accused in a class-action lawsuit of failing to protect the privacy of customers whose personal information was exposed last year in a data breach that affected nearly seven millions of profiles.

The lawsuit, which was filed Friday in San Francisco federal court, also accuses the company of failing to inform customers of Chinese and Ashkenazi Jewish descent that they appeared to have been specifically targeted or that their personal genetic information had been were compiled into “specially curated lists” that were shared and sold on the dark web.

The complaint was filed after 23andMe submitted a notification to the California Attorney General’s Office stating that the company had been hacked during a five-month period, from late April 2023 to September 2023, before becoming aware of the breach. According to the file, which was reported by TechCrunchThe company became aware of the breach on October 1, when a hacker posted to an unofficial 23andMe subreddit, claiming to have customer data and sharing a sample as proof.

The company first disclosed the breach in a blog post on October 6, in which it said a “threat actor” had accessed “certain accounts” using “recycled login credentials” – old passwords that 23andMe customers had used on other sites and which had been compromised.

The company revealed the full extent of the breach in an updated blog post on Dec. 5, following the completion of an internal review assisted by “third-party forensic experts.” At that point, according to Eli Wade-Scott, a lawyer for the plaintiffs, users’ personal genetic information and other sensitive materials had been available and offered for sale on the dark web for two months.

23andMe did not immediately respond to requests for comment on the lawsuit.

Jay Edelson, another attorney representing the plaintiffs, said 23andMe’s approach to privacy and the resulting lawsuit signaled “a paradigm shift in consumer privacy law” as the Sensitivity of breached data has increased.

“Now when we look at data breaches, our first concern will be whether the information will be used to physically harass or harm people on a systematic and massive scale,” Mr. Edelson said in an email Friday. “The standard for when a company acts reasonably to protect data is now stricter, at least for the type of data that can be used in this way. »

A Florida father of two, who is one of two plaintiffs named in the lawsuit, said in an interview that the 23andMe kit he bought for himself as a birthday present last year revealed that he had Ashkenazi Jewish heritage. The man, who is identified in the complaint only by his initials, JL, spoke on condition of anonymity because he said he feared for his safety.

He was looking to connect with loved ones, he said, so he opted for a feature called DNA Relatives, where certain information is shared with other 23andMe customers who might have a close genetic match.

The hacker gained access to this feature and information from 5.5 million DNA Relatives profiles, 23andMe said in December. Profiles can include a customer’s geographic location, year of birth, family tree, and uploaded photos.

The hacker was also able to access the profile information of an additional 1.4 million customers by accessing a feature called Family Tree.

After 23andMe informed JL and millions of other users that their data had been breached, JL said he feared becoming a target as hate speech and anti-Semitic violence emerged, fueled by the conflict between Israel and Gaza.

“Now that the information is out there,” he said, “someone might come along and decide to vent their frustrations.”

On October 1, according to the lawsuit, a hacker, who called himself “Golem” and used an image of Gollum from the film “The Lord of the Rings” as his avatar, leaked the personal data of more than a million users from 23andMe with Jewish ancestry on BreachForums, an online forum used by cybercriminals. The data included users’ full names, home addresses and dates of birth.

Later, in response to a request on the forum for access to “Chinese accounts” from someone using the pseudonym “Wuhan,” Golem responded with a link to the profile information of 100,000 Chinese customers, according to the trial. Golem said it had a total of 350,000 Chinese customer profiles and offered to release the rest of them if there was interest, according to the lawsuit.

On October 17, Golem returned to the forum to declare that he had data on “rich families serving Zionism” that he was offering for sale following the deadly explosion at the Al-Arab hospital. Ahli in Gaza City, according to the complaint. Israeli officials and Palestinian activists blamed each other for the explosion, but Israeli and U.S. intelligence agencies say it was caused by a failed Palestinian rocket attack.

The plaintiffs are seeking a jury trial and unspecified compensatory, punitive and other damages.

“The current geopolitical and social climate,” the lawsuit claims, “magnifies the risks” for users whose data has been exposed. Rep. Josh Gottheimer, Democrat of New Jersey, requested an FBI investigation into the breach earlier this month, highlighting the focus on Ashkenazi Jews.

“The leaked data could enable Hamas, its supporters and various international extremist groups to target the American Jewish population and their families,” Mr. Gottheimer wrote in a letter to Christopher Wray, the director of the FBI.

Ramesh Srinivasan, a professor in the information studies department at the University of California, Los Angeles, said it was inevitable that these types of violations would continue.

The question, he says, is whether companies will address this by taking serious precautions – by beefing up security or limiting data retention, for example – or whether they will simply apply a Band-Aid and promise to do better. next time.

“We are staring into the abyss when it comes to the datafication of our lives,” he said.