23andMe is facing a class action lawsuit over its recent data breach involving about 6.9 million users, or over half of its total customer base. A letter from its legal team indicates that it is going to attempt to defend itself by claiming it was all the fault of users that recycled their passwords.
The letter, addressed from law firm GreenbergTrauig to the attorneys handling the putative class action suit, claims that what took place does not meet the legal definition of a security breach as it involves only users that re-used login credentials that had been leaked elsewhere. The law firm also claims that the exposed data cannot be used for any financial harm, and that the genetic information that was available does not meet the legal threshold of protected medical data under California law or biometric data under Illinois law.
23andMe data breach defense claims no responsibility to check for exposed passwords
The data breach was first disclosed in October 2023, and 23andMe initially reported that it affected only about 14,000 customers (or 0.1% of its base). That number was soon revised upward to nearly half of the company’s estimated 14 million customers, after it realized that the attackers could use its “DNA Relatives” feature to scrape certain information from other accounts connected to those that had been breached.
23andMe’s legal defense is likely based on those initial 14,000 accounts being compromised by credential stuffing, fed by usernames and passwords leaked in past data breaches at other companies. But the company is additionally claiming no responsibility for the remainder of the data breach victims that were impacted, since they opted in to share certain profile information via the “DNA Relatives” (and related “Family Tree”) feature. The vast majority of the users impacted in this way had family relations and structure, birth years, self-reported locations, shared DNA composition and ancestry reports exposed to the hackers.
The putative class action suit spans the nation and involves the unique data breach laws of California and Illinois, which the attorneys spend the most time addressing. The California claimants also include violation of state laws protecting the confidentiality of medical information, which 23andMe addresses by claiming that the genetic material that was leaked does not meet standards of being “individually identifiable” or “substantive” in terms of medical conditions or history of care.
The company’s defense as regards the data privacy laws of the two states is essentially to claim that a data breach did not actually occur, given that the incident stemmed from the failure of certain users to change passwords that had been exposed elsewhere (the letter specifically accuses those users of being “negligent”). In the case of alleged violation of California’s CPRA, it also claims that it met its obligations under state law by resetting user passwords after discovering the breach and requiring that accounts implement a 2FA method.
Claims of user negligence likely to face intense scrutiny
The court’s ultimate decision will rest on its view of what 23andMe’s security obligations under the law actually are. The company did not require 2FA prior to the data breach, and did not appear to be scanning HaveIBeenPwned or similar leaked credential databases to spot potentially vulnerable passwords still in use. However, the relevant laws do not necessarily compel it to do those things.
The company’s terms of service, which customers are required to accept when signing up, are also helping its defense. It requires customers to go through arbitration, though the class action suits are attempting to get this requirement thrown out. The company appears to have recently updated its arbitration process to make mass arbitration more difficult.
Still, it will be very tough to square 14,000 hacked accounts leading to almost half of all the company’s customer records being exposed.
Darren Guccione, CEO and Co-Founder at Keeper Security, notes that the company’s publicly traded status may play a role in determining how the court views its level of security obligation: “Attributing isolated responsibility to users often overlooks a pervasive responsibility of an organization to implement robust security measures and facilitate cybersecurity best practices among its users. Generally, there is a fiduciary obligation for organizations to protect collected, sensitive and confidential information of its users, employees and other stakeholders. Aside from robust internal controls and technology applications to protect privacy, security and confidentiality of sensitive digital assets, strong password requirements and mandatory multi-factor authentication are two critical measures that can protect user accounts. 74% of breaches involve the human element – with the majority consisting of stolen or weak passwords, credentials and secrets. Password management software applications serve this purpose.”
“A culture of shared responsibility for security, where both the organization and its users play a role, can promote a resilient and secure environment, which is why users must advocate for their own cybersecurity as well. It is imperative for everyone to practice good cyber hygiene by using strong and unique passwords for all accounts on every device. To achieve this, it is essential to use a password manager – this will create high-strength random passwords for every website, application and system and further, will enable 2FA to protect against remote data breaches. A password manager is a critical first-line of defense against ransomware and the most common attack vectors in a data breach,” added Guccione.
Steve Moore, Vice President & Chief Security Strategist, Exabeam, sees a balance of responsibility between the two sides but ultimately believes 23andMe has obligations in terms of securing user logins: “There’s accountability on both sides, and it’s always easy and unfair to play Monday morning quarterback. The letter was direct, a tone which didn’t shock me but wasn’t the warmest message one could receive.”
“This represents a very fine line in breach reporting. If a company suffers a breach and records are lost, that’s a breach. However, if they manage a customer portal and a customer’s account is accessed by an organized adversary due to a reused password by a customer (from a prior breach), is that the same, and does this change if performed at scale? At a minimum, this requires detection and notification logic by the defender. Moving forward, 23andMe must have requirements on customer registration that discourage or even block the use of weak passwords; additionally, a secondary authenticator that avoids SMS should be an additional feature – their clients should welcome this,” noted Moore.
At minimum, the data breach has been an absolute PR disaster for 23andMe. In addition to its apparent flippant attitude toward customers and data safety, the hacker that stole the data appeared to have racial and political motivations in specifically dumping files belonging to users of Chinese and Ashkenazi Jewish heritage. The company was already in some financial trouble prior to the data breach, seeing its value fall 13% in Q3 after posting a larger Q2 loss total than expected. The company is expected to release its quarterly report in February.
