Some of us take a genetic test to find out if we are at risk for genetic diseases. Some of us do so to discover long-lost relatives. None of us take it to end up on the watch lists of malign actors targeting racial categories.
In October 2023, genetic testing company 23andMe suffered a data breach that compromised around 7 million users’ information. The company now also faces accusations of failing to notify customers with Azhkenazi Jewish and Chinese heritage that they were specifically targeted in the breach. Users also weren’t told that their test results with genetic information had been compiled in curated lists later shared on the dark web. While 23andMe did release an apology letter to affected customers, there was no mention in the letter that people were targeted for their heritage.
The main perpetrator is a mysterious online troll, self-titled "Golem.” Golem released the private information of over 1 million 23andMe customers with Jewish heritage on BreachForums, an internet platform frequented by cybercriminals. This information encompassed the users' complete names, residential addresses, and dates of birth.
Golem later responded to another user named “Wuhan” who requested access to “Chinese accounts,” linking the profile information of 100,000 Chinese customers. Golem claimed to have a total of 350,000 profile records of Chinese customers which they might release. After the deadly explosion at Al-Ahli Arab Hospital in Gaza City, Golem returned to the forum on October 17 to declare they had data on “wealthy families serving Zionism” on sale.
This latest blow is just part of the continuing fallout of 23andMe after it was hacked in 2023. Given the growing antisemitic rhetoric online and the very real physical threats both at home and abroad, that posting has raised concerns among 23andMe members about their own safety. “The current geopolitical and social climate amplifies the risks” to users whose data was exposed, according to a class-action suit filed against 23andMe for failure of notification of the curated lists.
23andMe argues that the harm of the breach is limited in that it cannot cause financial harm because it did not include information such as credit card details. However, the release of genealogy or relationship information remains highly useful to an attacker which seeks to develop a social engineering campaign for the purposes of scamming consumers, stealing an identity, or gaining privileged system access.
23andme appears to be going on the defensive, scrambling to cover its bases after being faced with numerous class actions. Yet, the company’s self-preservation seems to be at the expense of its customer relations and reputation.
Months after it first became aware of the breach, 23andMe sent a letter to customers pursuing legal action against the company, defending itself by arguing that the breach poses no tangible real-world problems. The company insisted "the information that was potentially accessed cannot be used for any harm.”
Furthermore, the company placed responsibility for the hack on users who carelessly reused or neglected to update their passwords, attributing the breach to "credential stuffing" attacks, a term cybersecurity experts use to describe the manipulation of recycled digital credentials. “Therefore,” 23andMe concluded, “the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures.”
Nevertheless, not everyone agrees with 23andMe. Barbara Prainsack, a University of Vienna professor for comparative policy, highlighted that the company had a long time to protect itself and to establish data breach protocols. 23andMe seemed to do neither.
23andMe also sent an email to customers notifying them that the company updated its terms of service on November 30, 2023, by revising its "Dispute Resolution and Arbitration" section. These changes aim to prevent customers from formally suing the firm or pursuing class-action lawsuits against it. A representative from 23andMe informed TheStreet that the informal resolution timeframe referenced in that section has now been extended to 60 days. It seems that customers no longer retain the option to pursue legal action in court for damages if they fail to reach a resolution through arbitration, as outlined in the previous terms of service. The language also prohibiting customers from filing class action lawsuits is now presented in all capital letters and condensed for better clarity compared to the previous version.
CEO Anne Wojcicki remains optimistic, attempting to transform the company from just a supplier of ancestral data into a healthcare company that develops drugs and sells subscription health reports. The firm’s partnership with GSK to develop drugs based on 23andMe’s genetic database has drawn a great deal of attention. Two of the drug candidates aimed at potential cancer treatments have progressed to early-stage human trials. Just last year, GSK paid 23andMe another $20 million for a nonexclusive data license. These deals give important hints about the company’s viability as a DNA data provider. The payoff for a successful drug is boundless, yet such development could take decades and cost vast amounts of money.
How might the firm achieve such goals without the trust of their customers? Surely turning around to blame customers for failing to protect their sensitive data entrusted to the firm and undertaking a controversial contractual move sounds the death knell of consumer trust. With 80% of its $1.4 billion venture funding before the hacking incident spent, and incoming high-dollar settlements to class-action suits, 23andMe risks being out of business if the company does not switch tactics.