The Breach Notification and Disclosure
23andMe submitted a notification to the California Attorney General’s Office, confirming that the company was hacked from late April to September 2023. The company initially disclosed the breach in a blog post on October 6, where it mentioned that a “threat actor” gained access to “certain accounts” using “recycled login credentials” from compromised external sites. However, the full extent of the breach, including the exposure of users’ personal genetic information, was only disclosed in an updated blog post on December 5 after an internal review with third-party forensics experts.
Implications and Lawsuit Significance
The lawsuit signifies a shift in consumer privacy law, according to Jay Edelson, one of the lawyers representing the plaintiffs. He believes that breached data sensitivity has now escalated to the point where the first concern is whether such information can be used for physical harassment or harm on a mass scale. The complexity of the breach lies in the fact that customers opted into a feature called DNA Relatives, which resulted in the potential exposure of profile information from 5.5 million DNA Relatives, including geographic location, birth year, family tree, and uploaded photos.
The Hacker’s Actions
The lawsuit claims that the hacker, using the name “Golem” and an image of Gollum as an avatar, leaked the personal data of more than 1 million 23andMe users with Jewish ancestry on the online forum BreachForums. The leaked data included users’ full names, home addresses, and birth dates. Additionally, the hacker offered access to the profile information of 100,000 Chinese customers, with 350,000 more records available for sale. The lawsuit emphasized the amplified risks faced by users in the current geopolitical and social climate, particularly regarding potential targeting of the American Jewish population.
Broader Implications and Future Precautions
Ramesh Srinivasan, a professor at the University of California, Los Angeles, suggests that similar breaches are likely to continue. He poses the question of how companies will respond: by taking serious precautions, such as increasing security and limiting data retention, or by applying mere superficial remedies without addressing the underlying issues. The breach serves as a reminder of the growing dangers associated with the increasing datafication of people’s lives.