23andMe has suffered yet another data breach. A few weeks ago, a hacker published a trove of stolen user data on the internet. Earlier this week the same hacker claimed to have leaked another 4 million genetic profiles, posting this latest tranche of data on the hacking site BreachForums.
As per the statement, We are currently reviewing the data to determine if it is legitimate. Our investigation is ongoing, and if we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information.
In relation to the previous data leak, 23andMe has ascertained that the data was legitimate, and that it affected the platform’s DNA Relatives feature, which allows users to match with potential genetic relatives on the platform.
The most recent leak also involves 23andMe’s DNA Relatives feature. The genetic data contains highly personal and sensitive information about a person’s genetic makeup, ancestry, family relations, and health conditions, among other things.
Hackers could attempt to sell genetic data back to users for a ransom, threatening to publish sensitive information widely if payment is not made.
The data leaks have spurred a set of class action lawsuits against 23andMe, including five in California, where the company maintains headquarters.
In one case, plaintiffs allege that the company failed to apply “adequate and reasonable cybersecurity procedures and protocols necessary to protect victims’ PII”.
The suit also alleges that 23andMe ignored users’ rights, didn’t adequately secure data systems from unauthorized intrusions, and did not monitor its networks, which would have enabled the company to discover the intrusion sooner.
Claims in three of the other lawsuits are very similar in nature. One suit brought claims for negligence, invasion of privacy, breach of contract and breach of implied contract.
23andMe users have been urged to change their passwords and to enable multi-factor authentication on their accounts. Consumers can also request for 23andMe to delete an account, stop using personal data in new research studies, and destroy the genetic sample originally submitted.
During the deletion process, 23andMe informs customers that the company and its partner lab will maintain “genetic information, date-of-birth and sex” after the account is deleted, per state and federal legal requirements.