The DNA testing company 23andMe was served with a class action lawsuit in California after cyber thieves gained access to personal data for at least a million clients. The lawsuit claims the popular DNA company “intentionally, willfully, recklessly, or negligently” failed to implement adequate safety measures to protect its customers whose birth year, location and ancestry trees were exposed during the attack. “On no later than 6 October 2023, unauthorized third-party cybercriminals gained access to the Class members’ and, on information and belief, Plaintiff’s PII (personally identifiable information) as hosted with Defendant, with the intent of engaging in the misuse of the PII, including marketing, disseminating, and selling Plaintiff’s and the Class members’ PII (the 'Data Breach'),” stated the lawsuit filed in Orange County Superior Court.[1]
“The total number of individuals who have had their data exposed due to Defendant’s failure to implement appropriate security safeguards is unknown at this time but is estimated to be approximately 1,000,000 individuals at a minimum. An undoubtedly nefarious third party that seeks to profit off this disclosure by defrauding Plaintiff and the Class members in the future.” The lawsuit was filed in Orange County because the lead plaintiff and alleged victim, Dhaman Gill, lives in Newport Beach CA, according to the claim.
“Plaintiff, as a result of the Data Breach, has increased anxiety for his loss of privacy and anxiety over the impact of cybercriminals accessing, using, and selling his PII,” the lawsuit stated. Plaintiff has suffered imminent and impending injury arising from the substantially increased risk of fraud, identity theft, and misuse resulting from, on information and belief, his PII being placed in the hands of unauthorized third parties/criminals.” The San Francisco area based company reported the breach to the US Securities and Exchange Commission and claimed hackers used old passwords to first breach about 14,000 profiles. From there the cyber crooks branched out and siphoned data from millions of other customers.
“23andMe is in the process of providing notification to users impacted by the incident as required by applicable law,” the firm stated in its disclosure report to the SEC. While no company can ever completely eliminate the risk of a cyber-attack, the Company has taken certain steps to further protect its users’ data. For example, on October 10, 2023, 23andMe required all users to reset their passwords, and on 6 November 2023, 23andMe required all new and existing users to login into the 23andMe website using two-step verification going forward.”
The lawsuit, which seeks unspecified compensatory damage, also demanded that 23andMe scrub its client’s personal information to prevent future attacks or prove it can protect the stored data. “Defendant (must) delete and purge the PII of Plaintiff and the Class members unless Defendant can provide to the Court reasonable justification for the retention and use of such information when weighed against the privacy interests of Plaintiff and the Class members.”
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.msn.com/en-us/news/other/23andme-slammed-with-class-action-lawsuit-after-cyber-attack/ar-AA1lKnnS
Comments