In a striking turn of events, 23andMe, the renowned genetic testing company, is facing over 30 lawsuits following a massive data breach that compromised the genetic and ancestry data of 6.9 million users. In a bold and controversial move, 23andMe is shifting the blame onto the victims themselves. According to a letter obtained by TechCrunch, the company argues that the breach was a result of customers reusing passwords, absolving itself of responsibility.
The breach, which initially affected around 14,000 user accounts through credential stuffing, eventually led to the exposure of personal data of an additional 6.9 million users. This escalation was due to the DNA Relatives feature, which allows automatic data sharing among users considered relatives on the platform. Despite the scale of the breach, 23andMe’s letter to the victims insists that the incident was not due to the company’s failure to maintain reasonable security measures but rather the users’ negligence in recycling passwords.
Lawyers representing the victims have criticized 23andMe’s stance, pointing out the company’s failure to implement safeguards against credential stuffing, especially given the sensitive nature of the data it handles. The breach’s impact extended far beyond the initial 14,000 accounts, affecting millions of users who had opted into the DNA Relatives feature, not because of recycled passwords but due to the feature’s inherent vulnerabilities.
In response to the breach, 23andMe reset all customer passwords and mandated multi-factor authentication, which was previously optional. Additionally, the company revised its terms of service, making it more challenging for victims to file collective legal claims. This move has been described by legal experts as self-serving and a desperate attempt to protect the company.
The situation raises critical questions about data security, corporate responsibility, and the ethics of blaming customers for security breaches. As the legal battles unfold, the tech community and consumers alike are closely watching how 23andMe navigates this complex and sensitive issue.
