23andMe faces a class action lawsuit for allegedly failing to use “adequate and reasonable cyber-security procedures” that could have prevented a data leak.
Earlier this month, a post on a forum where stolen data is traded and sold offered “20 million pieces of data” from 23andMe for sale, Cyberscoop reported. Days after the article was posted, 23andMe shared its take on the incident in a financial regulatory filing and blog post.
According to 23andMe, a threat actor acquired login credentials for compromised websites unrelated to the genetic testing company. The credentials allowed the threat actor to access the 23andMe accounts of customers who used the same login details for the compromised websites and the genetic testing site. The recycling of login credentials is a common cause of unauthorized access to accounts.
Gaining unauthorized access to a 23andMe account would give a threat actor data on the person whose account had been compromised and data on accounts connected to them via the DNA Relatives tool. 23andMe provides the tool to allow people to find genetic relatives and share data with them. Using the tool, a threat actor could use access to one account to access data on many people with safe accounts.
NBC News saw a list of 999,999 alleged 23andMe customers for sale online. The threat actor released 1 million lines of data for Ashkenazi people, according to Bleeping Computer, and then offered to sell DNA accounts in bulk. A forum post offered to sell “tailored ethnic groupings” and other information for $1 to $10 per account, depending on how many accounts were included in the transaction.
23andMe told investors there is no “indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.” The company has retained independent experts to support its investigation and mitigation measures.
However, the response failed to appease everyone. Two people filed a class action lawsuit that accused 23andMe of attempting to “redirect the blame on to the criminal actors” that accessed their accounts and of “avoiding mention that their safeguards were inadequate.” The lawsuit argues that 23andMe failed to say if it has ended the threat or state how the breach occurred.
“[23andMe] maintained the [private information] in a reckless manner,” the lawsuit states. “In particular, the [private information] was maintained on Defendant’s computer network in a condition vulnerable to cyberattacks.” 23andMe told investors it “undertook immediate action in accordance with its incident response plan” and is “fully cooperating with federal law enforcement.”