The genetic testing company 23andMe is being accused in a class-action lawsuit of failing to protect the privacy of customers whose personal information was exposed last year in a data breach that affected nearly seven million profiles.
The lawsuit, which was filed on Friday in federal court in San Francisco, also accused the company of failing to notify customers with Chinese and Ashkenazi Jewish heritage that they appeared to have been specifically targeted, or that their personal genetic information had been compiled into “specially curated lists” that were shared and sold on the dark web.
The suit was filed after 23andMe submitted a notification to the California Attorney General’s Office that showed the company was hacked over the course of five months, from late April 2023 through September 2023, before it became aware of the breach.
According to the filing, which was reported by TechCrunch, the company learned about the breach on Oct. 1, when a hacker posted on an unofficial 23andMe subreddit claiming to have customer data and sharing a sample as proof.
The company first disclosed the breach in a blog post on Oct. 6 in which it said that a “threat actor” had gained access to “certain accounts” by using “recycled login credentials” — old passwords that 23andMe customers had used on other sites that had been compromised.
Persons:
23andMe, ”
Organizations:
California Attorney General’s, TechCrunch
Locations:
San Francisco, California