Genetic testing company 23andMe announced on Friday a recent data breach that gained access to approximately 14,000 customer accounts. The company, which has over 14 million customers worldwide, determined that hackers accessed 0.1% of its customer base.
While the breach impacted a small fraction, the attackers also gained access to files containing profile information about other users' ancestry shared through 23andMe's DNA Relatives feature.
Hackers Access Ancestry Data of 23andMe
The company's new filing with the US Securities and Exchange Commission provided additional details on the incident. An immediate investigation was conducted to find the threat actor, who claimed to have 23andMe users' profile information.
23andMe engaged third-party incident response experts to assess the extent of unauthorized activity. According to the investigation, the hackers accessed a fraction of user accounts (0.1%) where usernames and passwords matched those compromised or available from other websites.
The compromised accounts contained varying information, including ancestry details and, for a subset, health-related information based on genetics.
The attackers also accessed "significant number" of files containing profile information about other users' ancestry, shared through the DNA Relatives feature, Tech Crunch reported. To mitigate the impact, 23andMe said it is currently working to remove the leaked information from the public domain.
The company has taken steps to enhance user data protection, including a mandatory password reset for all users on October 10 and the implementation of two-step verification for new and existing users on November 6.
Read Also : 23andMe Hit By Another Data Breach as Hacker Leaks Millions of Users' Stolen Information
Financial Implications of Breach
The financial implications of the breach are estimated to result in one-time expenses between $1 million and $2 million during the fiscal third quarter ending on December 31.
These expenses cover technology consulting services, legal fees, and third-party advisor costs. While the company acknowledges potential negative effects on its financial results, the full scope of impacts cannot be estimated right now.
The breach has led to multiple class-action claims against 23andMe in various jurisdictions, including federal and state courts in California, a state court in Illinois, and courts in British Columbia and Ontario in Canada.
The company is defending these cases, which are in the early stages, while also addressing notices under the California Consumer Privacy Act and inquiries from governmental officials and agencies.
While 23andMe believes its investigation into the matter is complete, it acknowledges the possibility of new information emerging. The company commits to updating information as required by applicable law. Currently, the full extent of the costs and impacts, including the availability of insurance coverage, remains uncertain.
"23andMe is in the process of providing notification to users impacted by the incident as required by applicable law. While no company can ever completely eliminate the risk of a cyber attack, the Company has taken certain steps to further protect its users' data," the company said in the filing.