Hackers were able to gain access to the personal information of 6.9 million 23andMe customers in a data breach, the company confirmed on Tuesday — representing nearly half of 23andMe’s reported user base of 14 million customers.
The genetic testing company, which offers health insights and ancestry information based on customer-submitted DNA collected by saliva swabs, said it learned of the hack in early October. After weeks of speculation, the true extent of the data breach has been revealed.
In some cases, users’ names, family trees, ancestry reports, locations, profile pictures and birth years were leaked. While the stolen data does not include DNA records, 23andMe told Global News in an email that the breach may have leaked “specifically where on (users’) chromosomes they and their relative had matching DNA.”
According to a proposed class-action lawsuit against 23andMe filed in B.C. Supreme Court, this stolen information was then put up for sale on the dark web.
The lead plaintiff in the lawsuit is an unnamed B.C. man, whose identity is protected under a publication ban, lawyer Sage Nematollahi told Global News.
Nematollahi’s firm KND Complex Litigation and Vancouver-based law firm YLaw Group are working together to pursue this class-action lawsuit.
Nematollahi said in a phone interview that “thousands” of Canadians have reached out to his law firm in the wake of the data breach, seeking to join the class-action suit. He said the volume of inquiries was “unprecedented” in his career.
The lawsuit alleges that 23andMe engaged in “willful, knowing or reckless conduct” by not implementing and maintaining proper data retention and data protection practices.
“As a result, they affirmatively exposed the highly sensitive and highly valuable customer data in their control, custody or possession to unauthorized parties and cybercriminals,” the lawsuit reads.
The suit seeks unspecified monetary damages, including the price that affected customers paid for 23andMe’s services as well as further damages resulting from the data breach. The proposed class-action lawsuit is open to anyone residing in Canada whose personal information was leaked by 23andMe.
Nematollahi wrote in a statement that, as a large business operator, 23andMe is held to “stringent standards under Canadian privacy laws, which require it to properly and responsibly manage and protect its customers’ highly sensitive and highly valuable personal information.”
“It is our hope that this class action will shed light on the facts, provide access to justice to Canadian customers who have been affected by this situation, and promote behaviour modification and responsible data management practices in the industry,” he added.
The proposed class-action lawsuit is being “actively pursued,” Nematollahi said, and the next court date for the case is slated for January.
Nematollahi says he and his colleagues are seeking an expedited court date to discuss recent tactics undertaken by 23andMe, which include a change to their terms of service that would force users into binding arbitration for any legal disputes. This means users would not be able to file or join class-action lawsuits.
23andMe is only giving users 30 days from when they receive the email about the new policy to opt out, The Verge reports. Users can opt out by contacting email@example.com.
“We have strong objections to these moves and tactics, and are taking steps to address this situation with the Court on an urgent basis in order to protect the interests of our clients and Canadian customers of 23andMe,” Nematollahi said.
How did the leak happen?
The company says a “threat actor” gained access to a small percentage of 23andMe accounts via “credential stuffing.”
“That is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously compromised or otherwise available,” 23andMe said in a blog post.
The hackers were able to access 14,000 accounts, less than 0.1 per cent of the user base, using these usernames and passwords that had previously been leaked. From this small seed, the hackers were able to access information from millions more accounts through 23andMe’s DNA Relatives and Family Tree features, which allow users to share information with other users they are genetically linked to.
Approximately 5.5 million users had data leaked from their DNA Relatives profile, as well as an additional 1.4 million users through the Family Tree feature, “each of which were connected to the compromised accounts,” 23andMe says.
The genetic testing company says it emailed all customers to notify them of the data breach and now requires all new and existing users to log in to their accounts using two-step verification.
“Protecting our customers’ data privacy and security remains a top priority for 23andMe, and we will continue to invest in protecting our systems and data,” the company said.
It recommends that customers change their password to one that is not easy to guess and is unique to their account.
Users can also opt out of the DNA Relatives feature to prevent their information from being shared with other accounts. Customers can opt out by selecting the “Manage Preferences” option on their “Account Settings” page.
Users who want to fully delete their 23andMe accounts and personal information can do so within the “23andMe Data” section on their “Account Settings” page.
“While we will delete the majority of your Personal Information, we are required to retain some information to comply with our legal obligations,” 23andMe writes on its website. “Deleting an account and associated data will permanently delete the data associated with all profiles within the account.”