What Happened
Genomics company 23andMe faces over 30 lawsuits due to a major data breach involving sensitive personal information. This breach, revealed in October, involved the sale of customer data on the Dark Web. The cyberattack compromised nearly 7 million user accounts, indicating a significant security failure at 23andMe.
The company, however, is blaming the victims for the breach. They argue that customers reused and failed to update their passwords after previous security incidents.
About the 23andMe Attack
The attack began with hackers accessing around 14,000 user accounts through credential stuffing. This method involves using previously exposed passwords. The data breach then expanded, affecting an additional 6.9 million users of 23andMe. For more information about the breach, you can visit our news article.
The Arguments
Meanwhile, 23andMe’s lawyers claim the stolen data cannot cause monetary damage, a point that remains contentious among the victims.
23andMe maintains that the data breach was due to user negligence rather than their own security measures. In a letter to the affected users, the company stressed this point, shifting the blame onto the customers.
On the other hand, legal representative Hassan Zavareei criticized 23andMe stating that the company is avoiding responsibility and downplaying the breach’s severity.
23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing—especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform.
The lawyer indicates.