In a controversial response to the legal actions ensuing from last year’s data breach, DNA testing company 23andMe has pointed fingers at its customers for their lax password practices. The breach, which affected thousands of accounts, has brought the company under the legal and public spotlight.
23andMe’s legal team asserted that the breach occurred due to customers reusing passwords across different services. “Users negligently recycled and failed to update their passwords following…past security incidents, which are unrelated to 23andMe,” the lawyers stated, according to a report by TechCrunch. This stance has been taken in response to allegations that the company failed to uphold reasonable security measures as mandated by the California Privacy Rights Act.
The breach was executed by hackers who purchased usernames and passwords from unrelated breaches and tested them on the 23andMe platform. This method led to at least 14,000 compromised accounts. The situation escalated when it was revealed that the ‘DNA Relatives’ feature could have expanded the breach to an alarming 6.9 million accounts.
In a bid to mitigate the situation, 23andMe implemented several security measures. These included forcibly signing out users, requiring password resets, and introducing multi-factor authentication. The company also reassured that the data accessed during the breach “cannot be used for any harm,” highlighting that sensitive information such as Social Security and driver’s license numbers, along with payment or financial details, were not exposed.
However, the victims’ legal representation criticizes 23andMe’s approach to security. A lawyer representing the hacking victims told TechCrunch, “23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform.”
This legal tussle puts a spotlight on the responsibilities of companies in protecting user data and the role of consumers in maintaining their digital security. While 23andMe’s defensive legal strategy might be aimed at avoiding the repercussions of class-action lawsuits, it also raises important questions about data security and consumer practices in the digital age.