It is the most clumsy PR recovery attempt we have seen in a long time, and more than thirty plaintiffs’ attorneys are unlikely to approve of it.
23andMe is damaging its public image even further in an effort to repair the harm caused by a disastrous user data leak. This is being done in an effort to undertake damage management. The company, which sells DNA test kits that can be used at home to help consumers trace their genealogy and genetically encoded health risks, is both blaming its frantic customers for the breach that occurred the previous year while simultaneously lying that there was never a severe breach in the first place.
At the beginning of October 2023, 23andMe disclosed that “certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts.” This was the moment when the news of the leak became public. Hackers were able to obtain access to 14,000 user accounts, which contain individuals’ genetic data, family trees, health projections, and other information, by guessing their credentials. These accounts most likely utilized passwords that were disclosed during prior cybersecurity events. The preliminary investigations found that hackers gained access to these accounts. Threat actors that were responsible for the breach at 23andMe soon offered their loot for sale at prices ranging from $1 to $10 per user profile. Although these profiles did not include complete genetic results, they did include information about the users’ names, birth years, and ancestry.
On the other hand, that is the thing with genetics: they are inextricably tied to other individuals. According to the findings of an investigation conducted by 23andMe in December, threat actors were able to acquire access to 6.9 million more accounts by breaking into the original 14,000 user accounts on the website. These accounts were accessed through the DNA Relatives and Family Tree feature profiles. In order to legitimize an attack on the first victims of the disclosure, 23andMe is citing those findings as justification.
The business 23andMe accuses users with compromised passwords for allowing hackers to penetrate its databases in a letter that was issued to a group of consumers who are suing the company for negligence and multiple privacy violations. “23andMe believes that unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials—that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” the letter reads. Consequently, the occurrence was not the result of 23andMe’s purported failure to maintain sufficient security measures in accordance with the [California Privacy Rights Act].
According to the letter that 23andMe sent, “If a violation occurred, it has been remediated.” In spite of the fact that there is a possibility that at least some customer information is still available for purchase, the company considers the process of resetting active logged-in user sessions and instructing consumers to install two-factor authentication to be similar to remediation. The reason for this is because 23andMe believes the data that was released “could not have been used to cause pecuniary harm,” because it did not include the social security numbers, driver’s license numbers, or financial information of customers.
It is quite unlikely that the letter will be well received during any of the thirty cases that are related to the breach at 23andMe. Hassan Zavareei, an attorney for the lawsuit, stated in an email to TechCrunch that 23andMe has “apparently decided to leave its customers out to dry while downplaying the seriousness” of the leak with regard to the data that was compromised.
As Zavareei put it in his writing, “This finger-pointing is nonsensical.” “23andMe knew or should have known that many customers use recycled passwords, and as a result, 23andMe should have implemented some of the many safeguards available to protect against credential stuffing. This is especially important when taking into consideration the fact that 23andMe stores personal identifying information, health information, and genetic information on its platform.”