In the aftermath of a colossal data breach affecting 6.9 million users, 23andMe finds itself entangled in more than 30 lawsuits from victims seeking accountability.
Instead of addressing the solution to implement to address the victims' concerns, the genetic testing firm is now putting the blame on them.
TechCrunch obtained a letter sent to a group of victims, revealing 23andMe's attempt to evade responsibility.
Breaching the Breach: Understanding the Data Compromise
Acknowledging the hack in December, 23andMe disclosed that hackers had infiltrated the genetic and ancestry data of almost half of its customer base.
"Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events," one of the lawyers who represents the side of the victims, Hassan Zavareei said in a letter sent to TechCrunch via email.
Initially targeting 14,000 accounts, the hackers exploited credential stuffing—a technique involving known passwords associated with targeted customers.
Subsequently, they leveraged the DNA Relatives feature, compromising an additional 6.9 million users who had opted into data sharing.
Related Article: Genetic Testing Firm 23andMe Confirms Hackers Accessed 14,000 Customer Accounts, Including Ancestry Data
Victim-Blaming: 23andMe's Alarming Response
23andMe's letter to victims alleges that users "negligently recycled and failed to update their passwords," absolving the company of security lapses. This contentious stance prompted criticism, with legal experts terming it a "shameless" attempt to shift blame onto the breach victims.
Responding to the victim-blaming approach, Dante Termohs, one of the affected 23andMe customers, expressed his disdain, calling the company's behavior "appalling."
The letter's assertion that stolen data couldn't cause monetary harm also drew scrutiny. Legal experts argue that the compromised data, even if excluding sensitive information, still poses risks and undermines 23andMe's accountability.
23andMe's Defensive Measures and Legal Maneuvers
Post-breach, 23andMe took corrective actions, resetting all customer passwords and implementing mandatory multi-factor authentication. However, the company's strategic change in terms of service aimed at complicating legal action by victims raised eyebrows.
Legal professionals condemned the move as a "cynical" effort to shield the company from collective legal challenges.
Persistence of Legal Action
Despite 23andMe's attempts to mitigate fallout and reshape its legal landscape, the surge in class action lawsuits signals a significant challenge.
The victims, unwilling to accept blame for the breach, are rallying against the company's tactics. As the legal battle intensifies, 23andMe's attempts to downplay the impact and deflect responsibility are met with increasing scrutiny.