In a significant data breach, hackers have gained access to the personal information of 6.9 million customers of genetic testing company 23andMe. This represents nearly half of the company’s reported user base of 14 million customers. While the stolen data does not include DNA records, it does include sensitive information such as users’ names, family trees, ancestry reports, locations, profile pictures, and birth years.
According to a proposed class-action lawsuit filed in B.C. Supreme Court, the stolen information was put up for sale on the dark web. The lead plaintiff in the lawsuit, an unnamed B.C. man, is seeking unspecified monetary damages and alleges that 23andMe engaged in negligent conduct by not implementing and maintaining proper data protection practices.
The lawsuit has garnered significant attention, with “thousands” of Canadians reaching out to join the class-action suit in the wake of the data breach. The volume of inquiries has been described as “unprecedented” by lawyer Sage Nematollahi, who is working on the case.
The breach has raised concerns about 23andMe’s data management practices and their compliance with Canadian privacy laws. As a large business operator, 23andMe is expected to adhere to stringent standards, which require them to properly manage and protect customers’ highly sensitive personal information.
In response to the breach, 23andMe has implemented two-step verification for all users and has recommended that customers change their passwords to one that is unique and not easy to guess. Users can also opt-out of certain features, such as DNA Relatives, to prevent their information from being shared with other accounts.
This data breach serves as a reminder of the importance of data security and the need for companies to take appropriate measures to protect the personal information of their customers. It remains to be seen how the class-action lawsuit will progress and what consequences 23andMe may face for the breach.