A letter obtained by TechCrunch reveals that 23andMe, the genetic testing company, is attempting to deflect blame onto the victims of its recent data breach. The breach, which occurred in December, resulted in the theft of genetic and ancestry data belonging to 6.9 million users. Facing over 30 lawsuits from affected customers, 23andMe is now trying to absolve itself of responsibility by arguing that the victims’ negligence in recycling and failing to update their passwords contributed to the breach.
However, legal experts argue that 23andMe’s attempt to place blame on the victims is unfounded. According to Hassan Zavareei, one of the lawyers representing the victims, the company should have anticipated that many customers would use recycled passwords and implemented appropriate safeguards to protect against credential stuffing attacks. Zavareei also points out that the breach impacted millions of customers, regardless of their password habits, as hackers were able to access data through the DNA Relatives feature of the platform.
Rather than taking responsibility for the security lapse, 23andMe’s letter tries to minimize the severity of the breach by claiming that the stolen data cannot be used to cause monetary harm. The information accessed by the unauthorized actors did not include social security numbers, driver’s license numbers, or financial information, according to the company’s lawyers.
In response, affected customers and legal experts have criticized 23andMe for attempting to hide from consequences instead of providing assistance to its customers. Some see the company’s shift in blame onto the victims as an attempt to evade legal repercussions and protect its own interests.
Despite 23andMe’s attempts to protect itself, a wave of class action lawsuits has been filed against the company. These lawsuits come in the wake of alterations made by 23andMe to its terms of service, which were seen as self-serving and an attempt to prevent victims from banding together in legal claims.
As the legal battles continue, the fallout from the data breach serves as a reminder of the importance of robust security measures and accountability in the handling of sensitive personal information.