23andMe Slammed With Class Action Lawsuit After Millions Of Profiles Breached In Cyber Attack
Dec. 19 2023, Published 1:30 p.m. ET
The genetic testing company 23andMe was slammed in a class action lawsuit in California after cyber thieves gained access to personal data for at least a million clients, RadarOnline.com can exclusively reveal.
The lawsuit claimed the popular DNA company “intentionally, willfully, recklessly, or negligently” failed to implement adequate safety measures to protect its customers whose birth year, location and ancestry trees were exposed during the attack.
“On no later than October 6, 2023, unauthorized third-party cybercriminals gained access to the Class members’ and, on information and belief, Plaintiff’s PII (personally identifiable information) as hosted with Defendant, with the intent of engaging in the misuse of the PII, including marketing, disseminating, and selling Plaintiff’s and the Class members’ PII (the 'Data Breach'),” stated the lawsuit filed in Orange County Superior Court.
“The total number of individuals who have had their data exposed due to Defendant’s failure to implement appropriate security safeguards is unknown at this time but is estimated to be approximately 1,000,000 individuals at a minimum.”
“An undoubtedly nefarious third party that seeks to profit off this disclosure by defrauding Plaintiff and the Class members in the future.”
The lawsuit was filed in Orange County because the lead plaintiff and alleged victim, Dhaman Gill, lives in Newport Beach, according to the claim.
“Plaintiff, as a result of the Data Breach, has increased anxiety for his loss of privacy and anxiety over the impact of cybercriminals accessing, using, and selling his PII,” the lawsuit stated.
“Plaintiff has suffered imminent and impending injury arising from the substantially increased risk of fraud, identity theft, and misuse resulting from, on information and belief, his PII being placed in the hands of unauthorized third parties/criminals.”
The San Francisco area based company reported the breach to the Securities and Exchange Commission and claimed hackers used old passwords to first breach about 14,000 profiles. From there the cyber crooks branched out and siphoned data from millions of other customers.
Never miss a story — sign up for the RadarOnline.com newsletter to get your daily dose of dope. Daily. Breaking. Celebrity news. All free.
“23andMe is in the process of providing notification to users impacted by the incident as required by applicable law,” the firm stated in its disclosure report to the SEC.
“While no company can ever completely eliminate the risk of a cyber-attack, the Company has taken certain steps to further protect its users’ data. For example, on October 10, 2023, 23andMe required all users to reset their passwords, and on November 6, 2023, 23andMe required all new and existing users to login into the 23andMe website using two-step verification going forward.”
The lawsuit, which seeks unspecified compensatory damage, also demanded that 23andMe scrub its client’s personal information to prevent future attacks or prove it can protect the stored data.
“Defendant (must) delete and purge the PII of Plaintiff and the Class members unless Defendant can provide to the Court reasonable justification for the retention and use of such information when weighed against the privacy interests of Plaintiff and the Class members.”