TThree years ago, a man in Florida named JL decided to send a tube of his saliva to the genetic testing site 23andMe in exchange for an ancestry report. JL, like millions of other 23andMe participants before him, says he was frequently asked about his ethnicity and longed for a deeper insight into his identity. He said he was surprised by the diversity of his test results, which showed he had some Ashkenazi Jewish heritage.
JL said he didn’t think much of the results until he learned of a massive breach at the company that exposed the data of nearly 7 million people, about half of the company’s customers. Worse, he later learned of a hacker under the pseudonym “Golem” who had offered to sell the names, addresses and genetic heritage reportedly belongs to 1 million 23andMe customers of similar Ashkenazi Jewish heritage on a shady dark web forum. Suddenly, JL was worried that his own flippant decision to catalog his genes might put him and his family in danger.
“I didn’t know my family was possibly going to be a target,” he said. “I may have put my family and myself at risk for something I did out of curiosity more than anything.”
JL, who asked to be identified only by his initials because of the ongoing privacy concerns, is one of two plaintiffs listed in a recent class action lawsuit filed in California against 23andMe. Plaintiffs allege the company failed to adequately notify users of Jewish and Chinese heritage after they were allegedly targeted. The lawsuit alleges hackers placed those users on “specially curated lists” that could be sold to individuals looking to cause harm.
23andMe has since confirmed hackers gained access to 14,000 user accounts over a five-month period last year, some of which revealed detailed, sensitive reports about users’ health. The company disclosed details of the exact type of data stolen in its months-long breach in a January data infringement notification letter sent to California’s attorney general earlier last month. Hackers gained access to a user’s “uninterrupted raw genotype data” and other highly sensitive information, such as health reports and carrier status reports obtained from processing a user’s genetic information. Worse, 23andMe confirmed the thieves also accessed other personal information from up to 5.5 million people who opted in to a feature that lets them find and connect with genetic relatives.
23 and I only publicly acknowledged the hackers’ attacks after one user posted about the data being for sale on a 23andMe subreddit in early October. An investigation into the incident revealed that hackers had actually been trying, sometimes successfully, to gain access since at least April 2023. The attacks continued for nearly five months until the end of September.
A much larger subset of users has other, potentially less sensitive data exposed through 23andMe’s subscription DNA related feature, which allows the company to automatically share data between other users on the platform to whom they may be related. In other words, hackers who gained access to a user’s account via the compromised passwords were also able to siphon data about potential family members. The optional feature gives users insight into a variety of data points, including their family members’ name, their predicted relationship, and the percentage of DNA shared with matches. It may also include an individual ancestry report, matching DNA segments and uploaded photos.
Eli Wade-Scott, one of the lawyers representing JL in the class action, said these alleged ethnicity-specific groupings could amount to “hit lists”. Jay Edelson, another attorney representing those users, worried that the lists of users could look attractive to terrorists looking to identify people of Jewish heritage. He also said Chinese intelligence agencies, which have a history of tracking and intimidating dissidents abroadcan use the data to target people who are critical of the government or even nation states.
“This is a total paradigm shift when it comes to the implications of a data breach,” Edelson added.
Months after it first became aware of the beach, 23andMe sent a letter to various customers taking legal action against the company. The company defended itself by saying there was no way the breach could lead to real-world problems: “The information that may have been accessed cannot be used for any harm.” It also blames the hack on users who “negligently failed to recover and update their passwords”. Cybersecurity professionals refer to arming these repeated digital keys as “credentials” attacks.
“Therefore,” 23andMe concluded, “the incident was not the result of 23andMe’s alleged failure to maintain reasonable security measures.”
But several lawyers and genetic privacy experts say the company should have seen such an attack coming and done much more to protect this highly sensitive, intimate data. “You shouldn’t be able to do an attack like this over the course of months and not have anyone at 23andMe know,” Wade-Scott said.
Barbara Prainsack, a University of Vienna professor of comparative politics, was herself a 23andMe customer. She said the company had a long time to protect itself and establish data breach protocols. 23 and I, she said, apparently did neither: “This is almost a textbook case of how things should not be done.”
She added that it is “morally and politically very stupid” to blame consumers for their own relatively minor security lapses.
23andMe users to sue the company for negligence seems to agree. They say they would never have bought the company’s kits if they had known how lax its security was. Since the offense, more than two dozen 23andMe users have filed individual and class action lawsuits accusing the company of negligence and breach of privacy. The details of each of the lawsuits differ, but each alleges the company failed to “implement and maintain adequate security measures”.
“23andMe lied to customers about how it would protect their data, failed to reasonably protect their data in accordance with industry standards, lied about the scope and severity of the breach, failed to notify its Jewish and Chinese customers that they were specifically targeted, and ended up exposing them to a host of threats and dangers they would never see coming,” JL’s suit states.
The slow-burning data breach scandal adds insult to injury for a company that has fallen rapidly from the top rungs of Silicon Valley exceptionalism in recent years. The company went public in 2021 at a valuation of $3.5 billion; now it’s worth about $300 million, a 91% drop. 23andMe has never turned a profit in its 18-year history. It could run out of cash by 2025. In just a few short years, the company that once seemed destined to become the “Google of spit” is struggling to stay on the Nasdaq despite co-founder and CEO Anne Wojcicki’s repeated attempts to allay investor concerns.
Experts said the downstream consequences of hackers gaining access to genetic data remain largely hypothetical. Still, they warned, a bad actor armed with this type of information and sufficiently motivated could potentially use it to identify an individual or blackmail them by threatening to reveal even more sensitive information. The possible combination of data obtained from the 23andMe breach with other personal information could lead to sophisticated identity fraud.
Murat Kantarcioglu, a professor of computer science at the University of Texas at Dallas, said he could envision a scenario where an attacker armed with data linking an individual to a previously unknown family member could blackmail them by threatening to make that connection public. Other data that reveals a user’s family history with mental health issues, Kantarcioglu said, could potentially be misused by an employer to pass up someone seeking a job or promotion.
At the time of writing, 23andMe requires two-factor authentication by default for all its users. That additional layer of security, which critics have demanded for years, wasn’t enabled by default until after the breach.
Legal experts say 23andMe has recently made subtle changes to its terms of service, making it harder for victims to cooperate. file mass arbitration suits, TechCrunch reported. Those changes reportedly came just two days before 23andMe officially disclosed the data breach. 23andMe denies accusations that it changed its terms of service to stave off lawsuits, saying instead that it made the changes to speed up resolution of disputes.
“In the middle of the night they did [23andMe] changed their terms to game the system and basically make it impossible to bring any kind of large volume arbitration,” Edelson said. Cohen Milstead partner Doug McNamara described the maneuver as a “desperate attempt to discourage and deter from suing [23andMe]” in a December maintenance with TechCrunch.
Nearly a year has passed since hackers first tried to access 23andMe users’ accounts, but the company’s legal and regulatory concerns are likely just beginning. Aside from the metastasizing lawsuits, lawmakers are getting involved. In January, New Jersey Democratic representative Josh Gottheimer wrote a letter to FBI Director Christopher Wray requests the agency to launch an investigation into the company to determine whether or not the exposed data could be used to target Jewish communities. It came on the heels of a letter sent to 23andMe by Arizona Attorney General Kris Mayes, seeking additional data about the company’s security protocols.
Experts fear that the ripple effects of the 23andMe breach could extend beyond the company itself. Prainsack worries anxiety stemming from the breach could make people less likely to share personal health data, not only with 23andMe but also more traditional doctors. This lack of trust can make it more difficult to treat patients properly.
Kantarcioglu, of the University of Texas, said this likely won’t be the last data breach of its kind to affect genetic testing companies. “You have extremist groups calling for the death of Jews all over the world, so it’s hard to see how the stakes could be any higher,” said Edelson, JL’s attorney. “The way the information is bought and sold is sort of Defcon One in the privacy world.”