A class action lawsuit has been filed in federal court in San Francisco against 23andMe, a genetics information and testing company headquartered in South San Francisco.

The suit broadly challenges 23andMe’s response to hackers who accessed sensitive information of as many as 7 million customers beginning in April 2023. According to the complaint, 23andMe learned, but did not disclose in a timely way, that the hackers had targeted people of Ashkenazi Jewish and Chinese heritages.  

The lawsuit filed Friday says that sensitive information on a million Ashkenazi Jews and 350,000 customers of Chinese heritage was obtained by hackers and offered for sale on the dark web, raising legitimate fears “for the personal safety and security of customers” in those groups and creating the risk of “subjecting them to ethnic targeting, discrimination, and harassment.”

The situation differs from typical data breach cases, according to Gia Jung, counsel for the plaintiffs, because most cases involve the theft of financial information, not genetic or health information. 

“You can change your credit card, you can change your email, you can’t change your genetic makeup,” said Jung. 

That makes it much harder to remedy.

“There’s a lot of harm that could arise from this type of data breach that isn’t seen in some other prototypical data reach cases,” she said.

You can change your credit card, you can change your email, you can’t change your genetic makeup.

Gia Jung, counsel for the plaintiffs

The complaint suggests that the information could be used, for example, to target Jews to retaliate for the actions in Palestine or to create a ‘targeted social engineering attack.’

23andMe is best known for selling genetic testing kits direct to consumers, though it has positioned itself more broadly as a health care company. Consumers who provide a DNA sample through saliva receive reports that, according to the complaint, “are incredibly detailed and can include insights into users’ predisposition and carrier status for certain cancers, diabetes, hearing and vision loss, celiac disease, Alzheimer’s disease, and cardiovascular diseases, amongst others.”

The company offers a feature that allows customers who wish to do so to find their “DNA Relatives.” According to Jung, the DNA Relatives feature is “kind of like the Facebook of 23andMe where you can see anyone who might be genetically related to you.”

Customers that opt-in to that functionality are able to see “other customers’ display name, how recently they logged in to their accounts, relationship labels, predicated relationship and percentage of DNA shared with matches, location, ancestor birth locations and family name, ancestry reports, maternal and paternal haplogroup results and neanderthal ancestry results, profile pictures, birth years, links to ‘Family Trees’ and anything users have added to their introductions.”

23andMe assured its users that it would safeguard their privacy using “highest industry standards for data security” and told customers that their personal information (name and email) were kept completely separate from their genetic information “so that no one but you (when you use your username and password) can connect the dots between the two.”

The company went on to assure customers that even if “someone gained access to one of these databases, they could not connect your identity to your genetic data, or vice versa.”

An example of CAPTCHA test. (Alan Levine/Flickr via Bay City News)

The 50-page complaint lays out a story that began in April 2023 when a so-called “credential stuffing” campaign was waged against the company. Credential stuffing is a term for hackers using credentials harvested from one location to gain access to a customer’s account on another website in the hope that the customer used the same credentials in both places. 

23andMe allegedly did not have a mandatory two-factor authentication protocol nor did it use CAPTCHA, a technology that prevents automated scripts. Those failings allowed hackers to send the company large scale attempts to stuff credentials. (The complaint estimates that 14 million attempts were initiated.) 

From those attempts, the plaintiff says that some 14,000 customers of 23andMe had their accounts compromised in this fashion, but the attack did not stop there. 

Apparently from that base, the hackers were able to use the DNA Relatives feature to gain access to profile information (“geographic location, birth year, family tree and uploaded photos”) of 5.5 million people. They also reached another 1.4 profiles through a platform function called “Family Tree.” All in all, the accounts of more than half of the company’s customers were compromised, though how much of any individual customer’s sensitive genetic information was accessed has not been determined.

The hackers put the stolen data to use and, in doing so, they left a few digital footprints. 

In August a hacker on a “cybercrime forum” called Hydra allegedly offered 300 terabytes of 23andMe’s data for sale for $50 million. The hacker also offered to sell data “subsets” for between $1,000 and 10,000.

Exploiting the ‘most valuable data’

On Oct. 1, 2023, a hacker known as “Golem” claimed to have stolen DNA data from 23andMe and according, to the complaint, “As proof…published the alleged data of one million users of Jewish Ashkenazi descent and 100,000 Chinese users asking would-be buyers for $1 to $10 for the data per individual account.”

The pleading went on, “Golem’s post advertised genomic ancestry data for the users of Ashkenazi descent as ‘the most valuable data you’ll ever see’ and said, “the data included 23andMe DNA and profile data, including full names, home addresses, birth dates, and ancestry.”

Thereafter, on October 3, Golem allegedly posted an additional advertisement “including pricing for “[t]ailored ethnic groupings, individualized data sets, pinpointed origin estimations, haplogroup details, phenotype information, photographs, links to hundreds of potential relatives, and most crucially raw data profiles.” (Haplogroups are, according to 23andMe, “genetic classifications or ancestral groupings within a population, typically defined by shared, inherited genetic markers or mutations.”)

The complaint focuses much of its venom on the company’s allegedly inadequate security protocols and on 23andMe’s supposedly languid response to the hack. The company did not make an initial disclosure about the breach until October 6, 2023 when in a blog post and email it said that it had recently learned that customer profile info had been accessed through the DNA Relatives feature. The company recommended that customers make sure they had a strong password and encouraged them to enable multi-factor authentication.

While 23andMe made further disclosures to its customers in October and again in December, according to the plaintiffs the disclosures were woefully inadequate and “conceal[ed] the fact that the hackers specifically targeted the personal genetic information of Jewish and Chinese customers and compiled that data — including genetic heritage, names, and addresses – into lists that were then sold on the dark web.” 

The plaintiffs allege that the company’s security protocols and disclosure practices violated a series of California statutes, amounted to breach of contract and warranty, as well as the torts of negligence and breach of fiduciary duty. Plaintiffs seek injunctive relief and damages. 

Of course, the allegations in the complaint are simply allegations — that is, statements of belief by the plaintiffs — and must ultimately be established by evidence presented at trial. 

Plaintiffs added spice to their claims, asserting that before making full disclosure to their consumers 23andMe quietly changed the terms of service on its website to provide that customers could not bring class actions without making a timely opt-out election. It also allegedly added a provision requiring consumers to pursue arbitration in the event of a dispute. 

A financial turmoil

The suit does not come at a good time for the company. 

In a Feb. 7 release, the company said it was revising its guidance and analysts should expect the loss for the year ending March 31, 2024 to be between $520 and $525 million. 

The company went public on June 17, 2021 via a reverse merger with a SPAC (special purpose acquisition company) formed by Richard Branson at a price of $10 per share.  

On Monday, at midday, a share of 23andMe could be had for 55 cents.

A request for comment on the lawsuit was returned by a spokesperson for 23andMe who made reference to a December 5 report on findings from the company’s investigation into the data breach. 

The report stated that since detecting the incident, 23andMe notified all customers of the incident, required all passwords to be rest, and made Two Factor Authentication mandatory. 

The report concluded, “protecting our customers’ data privacy and security remains a top priority for 23andMe, and we will continue to invest in protecting our systems and data.”

Joe Dworetzky is a second career journalist. He practiced law in Philadelphia for more than 35 years, representing private and governmental clients in commercial litigation and insolvency proceedings. Joe served as City Solicitor for the City of Philadelphia under Mayor Ed Rendell and from 2009 to 2013 was one of five members of the Philadelphia School Reform Commission with responsibility for managing the city’s 250 public schools. He moved to San Francisco in 2011 and began writing fiction and pursuing a lifelong interest in editorial cartooning. Joe earned a Master’s in Journalism from Stanford University in 2020. He covers Legal Affairs and writes long form Investigative stories. His occasional cartooning can be seen in Bay Area Sketchbook. Joe encourages readers to email him story ideas and leads at joe.dworetzky@baycitynews.com.