23andMe data breach overview:
- Who: Plaintiff Alyson Hu filed a class action lawsuit against 23andMe Inc.
- Why: 23andMe allegedly failed to take adequate cybersecurity measures to protect customers’ sensitive information from cybercriminals, resulting in a data breach that may have affected nearly 7 million individuals.
- Where: The 23andMe class action lawsuit was filed in Illinois federal court.
Genetic testing company 23andMe Inc. faces another class action lawsuit following an Oct. 6 data breach.
Unauthorized actors reportedly accessed 23andMe accounts, including millions of customers’ sensitive Personal Identifiable Information (PII), such as their names, usernames, regional locations, birth years, profile pictures and ethnicities.
Plaintiff Alyson Hu, a 23andMe customer, filed the 23andMe data breach class action lawsuit Dec. 26. She previously received notice her PII had been compromised.
“Since the [23andMe data breach] occurred, several news sources have reported that threat actors listed mass amounts of the stolen data for sale on the dark web,” Hu alleges. “Defendant has failed to address these reports, failed to inform victims when and how the data breach occurred and has even failed to say whether the security threat is still a risk to customers.”
Plaintiff argues adequate cybersecurity measures could have prevented 23andMe data breach
23andMe offers customers personalized genetic reports that include ancestry composition, DNA relatives, genetic health predispositions, genetic traits and other individualized genetic information.
To register for 23andMe genetic testing, customers purchase a genetic testing kit and provide 23andMe with detailed information about themselves. 23andMe then collects further individualized genetic information from customers, including their saliva sample information.
However, 23andMe failed to adopt adequate cybersecurity measures to protect customers’ PII from unauthorized actors, Hu alleges.
Genetic testing companies are “treasure troves” of sensitive information and therefore valuable targets for cybercriminals, the 23andMe class action lawsuit claims.
The lawsuit also alleges 23andMe has not been forthcoming with information about the data breach and attempted to blame customers with “recycled login credentials.”
While the threat actors accessed a limited number of 23andMe accounts, Hu says the cybercriminals accessed the PII of nearly 7 million individuals through 23andMe’s DNA relatives feature.
As a result of the 23andMe data breach, customers like Hu face the risk of identity theft well into the future and must spend time and money to mitigate the damage.
The 23andMe class action lawsuit asserts claims for negligence and violation of the Illinois Genetic Information Privacy Act.
A separate consumer filed a 23andMe data breach class action lawsuit in October, shortly after 23andMe announced the breach.
Were you affected by the 23andMe data breach? Tell us about your experience in the comments.
Hu is represented by Katrina Carroll of Lynch Carpenter LLP and Jonathan M. Jagher, Michael E. Moskovitz and Nia-Imara Barberousse Binns of Freed Kanner London & Millen LLC.
The 23andMe data breach class action lawsuit is Alyson Hu v. 23andMe Inc., Case No. 1:23-cv-17079, in the U.S. District Court for the Northern District of Illinois.
Don’t Miss Out!
Check out our list of Class Action Lawsuits and Class Action Settlements you may qualify to join!
Read About More Class Action Lawsuits & Class Action Settlements:
69 thoughts on23andMe hit with another class action lawsuit over data breach
My husband and I got a letter, not an email. We can’t find the letter (moved to snowbird home). We need to join the class action. We have emailed the company multiple times and now snail-mailed the CEO and Corporation Counsel for a copy of any email that was sent….no avail as of two weeks post contact attempt.
.
To be fair, the databreach was mostly from folks that reuse the same password in every site the registered for, so that the argument won’t hold up. Also, I they have had 2FA for a while now and was up to the user to turn it on so you can’t say they neglected security. Also they actually took measures to warn users via email that they suspected multiple users were accessing comprised accounts from reused email which takes a while to detect since there needs to be a pattern to detect to begin with… So you can’t even fault them for that. All this to say, it’s 100% the users fault for reusing the same password and not having 2FA enabled. Might be sounding like a shill right now but that’s just how I see it happing in court. The class action lawsuit won’t get far. It’s the user’s responsibility to enable 2FA and not be a dumb ass by reusing the same password for everything.
I’ve had 2FA set up since I’ve gotten it in 2020 and use a different password for each site. Still got a data breach notification.
Yes I have the email letting me know about what happened. I took a snapshot of it..
That’s how I found out too. No letter at all.
Mr.cooper never notified me about the cyberattack I found out when I went to make a payment then I sent it western union it was never posted to my account they been doing this for three months now they say I’m behind
I don’t think I got the letter ( in WV) but this is twice for me. I changed passwords and hoped it would change, but obviously, it hasn’t. I think they offered a few bucks or a discount on some security service. But to let it happen again, makes me wonder. And I’m no conspiracy theorist, but that sure stinks. My info was leaked, twice. They need to be shut down and we should get damages, instead of a few dollars. Let the other DNA companies know they can’t be hacked.
I never got a letter I’ve been making payments now they say I owe over 2000 dollars how do I get in to get money
Because the family tree information was taken, bad actors now have information to answer security questions: mothers maiden name, fathers middle name, name of your oldest sibling, your city of birth, parentscity of birth…etc.
In these days of legal genocide supported by super powers against civilians, we witness across the world and for all of recorded history unprecedented atrocities committed because of failures of the politicians of the so called super powers. The natives of any land are often the victims of colonialism and oppression. Recently we have witnessed the theft of ancestral data of millions of users. Why is this significant you might ask? The genetic information of the natives in Jerusalem, Palestine, and the Levant is now subject to ethnic cleansing and erasing. On the author’s personal profile, Palestine or Palestinian identity is left out, labeled Levantine not from Jordan, Lebanon, or Syria. The genetic data highlights who the natives are, and this is considered to be threatening somehow. We are now being hunted in the West but so is our genetics.
I am an honorably discharged Veteran facing such abuses of power.
Any general who puts his faith in his weapons or his lies, is a poor general and the politicians that hobble their military are not listening to their generals that are speaking truth. I have been labeled everything from their lies, in fact my history doesn’t exist as they tried to erase one of our other native prophets, Isa (Jesus) may peace be upon him, without success. A sign of how things still remain the same. A dishonor of my honor for serving. A lesson not lost. You must fight for survival against any oppressor. Don’t take their sins upon yourselves.
We are now likely the target of those who wish to exterminate us for our unique relationship to the Almighty Creator. To be clear, no one can ever speak for anyone once you have broken your own commandments and killed your neighbors. We are not your Nazis but you insist on imposing Nazi will on the Natives. Genocide is illegal, immoral, and inexcusable. You are witness however. In a court of law, you would be labeled accessories and guilty for allowing the killing of civilians, Full Stop.
The observations and justifications highlight the propaganda machine to slaughter and oppress the innocent children and families killed to satisfy bloody revenge through technological buttons of warfare that kill on a mass scale. Make no mistake, your responses are filled with cries of “never again” and the author agrees with this concept only not the way you enforce it. Europe and Americas Anti Semitism is not the crime of Palestinians. Living with these groups, I can indeed understand the concept of never again. Please open your eyes and see who is driving you and giving weapons to lose yourselves. Free all oppressed peoples and may all oppressors fall where they oppress.
– [ ] Actual profile of author from PALESTINE. Notice that Palestine has to be legally removed via propaganda. When natives are discovered, evidence is often removed. Also note, 55 percent Egyptian yet not detected in the Egypt of today’s world. How can you have 55 percent from “not detected” ????? Very specific, what is not said speaks volumes.
– [ ] 100 percent not detected from Palestine. Surprisingly, Israel is not labeled as this would be factual court admissible data. Until reality comes clean, we will not exist in the dirt they believe they created.
– [ ] What is the only place left in this area? Is this still Earth??
What would you feel if you had to live this? What would it look like? Who else had to go through this?
Why was Jesus(PBUH) a traitor? Why was he labeled a terrorist when they wanted to murder him?
It would not surprise the author to see the “genetic family” in the ancestry profiles suddenly suffering catastrophic life events. Their freedoms, liberties, and personal being subjected to their whims. Spying without warrants and when warrants are obtained, you discover the corruption so deep, you know where it is headed in the ash bins of history. Please document and share your stories. Do not let the oppressors advance whomever they are.
The authors genetic data is older than any of the residents who have stolen more than 13 acres while he continues to exist in exile. I don’t know why exactly only that it is. Listed below is evidence and why the breach into this data was not about financial data but genetic data to help support genocide. May our creator judge you the same way you judge.
L3f
Today
L3f is rare among 23andMe customers.
Today, you share your haplogroup with all the maternal-line descendants of the common ancestor of L3f, including other 23andMe customers.
1 in 76,000
Northeast Africa, Sahel, Arabian peninsula, Iberia. Gaalien,[22] Beja[22]
Ref
A 2007 estimate for the age of L3 suggested a range of 104–84,000 years ago.[9] More recent analyses, including Soares et al. (2012) arrive at a more recent date, of roughly 70–60,000 years ago. Soares et al. also suggest that L3 most likely expanded from East Africa into Eurasia sometime around 65–55,000 years ago as part of the recent out-of-Africa event, as well as from East Africa into Central Africa from 60 to 35,000 years ago.[3] In 2016, Soares et al. again suggested that haplogroup L3 emerged in East Africa, leading to the Out-of-Africa migration, around 70–60,000 years ago.
I was notified by 23&Me that my data was compromised and I’m looking to file suit. I sent 23&Me a email to opt out of the alert that says that I can not file a class action and I’m looking for a lawyer to accept my case.
Illinoisans here. I got the letter, part of the relative sharing thing, breach and I’m not happy, I was an early user. I get more literal spam than anyone I know, it got way worse this Fall. I don’t know why, but 23andme didn’t protect my information. Sensitive area, I joined for health reasons. Their letter was a very low key mea culpa for a big deal, in my opinion.