Genetic testing company 23andMe is embroiled in more than 30 lawsuits from victims of a significant data breach, involving the theft of genetic and ancestry data from 6.9 million users.
In a controversial move, 23andMe has shifted the blame onto its customers, sparking widespread criticism, reports TechCrunch.
The breach, disclosed in December, initially involved unauthorized access to approximately 14,000 user accounts through credential stuffing.
Blames user negligence
This method exploited reused passwords to gain access to the DNA Relatives feature, subsequently exposing the personal data of an additional 6.9 million customers.
In a letter to the victims, 23andMe asserted that the breach resulted from users' negligence in updating passwords, rather than a failure in the company's security measures.
This statement has been met with sharp criticism from Hassan Zavareei, a lawyer representing the victims, who argues that the company should have anticipated and safeguarded against such common password reuse.
Attempt to evade responsibility
23andMe claims that the accessed data cannot inflict monetary harm as it lacks sensitive financial information.
Their approach has been labelled as an attempt to evade responsibility.
The company has implemented mandatory multi-factor authentication and revised its terms of service in an apparent effort to deter legal actions against them.