23andMe Faces Class Action Lawsuit Following Data Breach

Genetics test-kit company 23andMe is now grappling with a class action lawsuit in the wake of a recent data breach. The plaintiffs argue that 23andMe's notification regarding the breach was inadequate, failing to provide essential information, including details about the containment of the threat and the breach's root cause.

The breach was first brought to light on October 6 when 23andMe posted a blog entry addressing the issue. According to the company, suspicious activity prompted them to initiate an investigation into the breach. It was revealed that threat actors managed to access certain accounts, particularly those where users had reused login credentials. These login credentials, consisting of usernames and passwords, were identical to those used on other websites that had previously experienced security breaches.

While 23andMe claimed to be actively investigating the breach, they attributed it to the reuse of login information across multiple websites. The company underlined its adherence to industry data protection standards and emphasized its achievement of multiple ISO certifications for its security program. Notably, 23andMe stated that since 2019, it had offered and encouraged customers to enable multi-factor authentication for their accounts.

The response to the breach, however, seems to have followed a well-established pattern seen after many cybersecurity incidents. Two victims of the recent 23andMe data breach have initiated a class action lawsuit in response to the incident. Filed in the U.S. District Court for the Northern District of California, the lawsuit alleges a range of grievances, including negligence, invasion of privacy, unjust enrichment, and breach of implied contract.

This lawsuit underscores the growing concern among consumers about data privacy and the consequences of breaches involving sensitive personal information. Companies like 23andMe are under increasing scrutiny, and the success or outcome of this lawsuit could set a precedent for how data breaches are addressed and the responsibilities of companies in safeguarding user data.

As the legal proceedings unfold, it remains to be seen how the case will progress and whether it might prompt further changes in how organizations handle data breaches and communicate with their customers.