The genetic testing company 23andMe is being accused in a class-action lawsuit of failing to protect the privacy of customers whose personal information was exposed last year in a data breach that affected nearly seven million profiles.
The lawsuit, which was filed on Friday in federal court in San Francisco, also accused the company of failing to notify customers with Chinese and Ashkenazi Jewish heritage that they appeared to have been specifically targeted, or that their personal genetic information had been compiled into “specially curated lists” that were shared and sold on the dark web.
The suit was filed after 23andMe submitted a notification to the California Attorney General’s Office that showed the company was hacked over the course of five months, from late April 2023 through September 2023, before it became aware of the breach. According to the filing, which was reported by TechCrunch, the company learned about the breach on Oct. 1, when a hacker posted on an unofficial 23andMe subreddit claiming to have customer data and sharing a sample as proof.
The company first disclosed the breach in a blog post on Oct. 6 in which it said that a “threat actor” had gained access to “certain accounts” by using “recycled login credentials” — old passwords that 23andMe customers had used on other sites that had been compromised.
The company disclosed the full scope of the breach in an updated blog post on Dec. 5, after the completion of an internal review assisted by “third-party forensics experts.” By that time, according to Eli Wade-Scott, a lawyer for the plaintiffs, users’ personal genetic information and other sensitive material had been made available and offered for sale on the dark web for two months.
23andMe did not immediately respond to requests for comment about the lawsuit.
Jay Edelson, another lawyer representing the plaintiffs, said 23andMe’s approach to privacy and the resulting lawsuit signaled “a paradigm shift in consumer privacy law” as the sensitivity of breached data has increased.
“Now when we look at data breaches, our first concern will be whether the information will be used to physically harass or harm people on a systematic, mass scale,” Mr. Edelson said in an email on Friday. “The standard for when a company acts reasonably to protect data is now a higher one, at least for the type of data that can be used in this manner.”
A father of two in Florida who is one of the lawsuit’s two named plaintiffs said in an interview that the 23andMe kit he bought himself as a birthday present last year revealed that he had Ashkenazi Jewish heritage. The man, who is identified in the complaint only by his initials, J.L., spoke on the condition of anonymity because he said he feared for his safety.
He was looking to connect with relatives, he said, so he opted in to a feature called DNA Relatives, where select information is shared with other 23andMe customers who might be a close genetic match.
The hacker gained access to this feature, and information from 5.5 million DNA Relatives profiles, 23andMe said in December. The profiles may include a customer’s geographic location, birth year, family tree and uploaded photos.
The hacker was also able to access the profile information of an additional 1.4 million customers by accessing a feature called Family Tree.
After 23andMe informed J.L. and millions of other users that their data had been breached, J.L. said he feared that he could become a target as antisemitic hate speech and violence was surging, fueled by the conflict between Israel and Gaza.
“Now that the information is out there,” he said, “somebody could come in and decide that they’re going to take out their frustrations.”
On Oct. 1, according to the lawsuit, a hacker who called himself “Golem” and used an image of Gollum from the “Lord of the Rings” films as an avatar, leaked the personal data of more than 1 million 23andMe users with Jewish ancestry on BreachForums, an online forum used by cybercriminals. The data included the users’ full names, home addresses and birth dates.
Later, in response to a request on the forum for access to “Chinese accounts” from someone using the alias “Wuhan,” Golem responded with a link to the profile information of 100,000 Chinese customers, according to the lawsuit. Golem said he had a total of 350,000 profile records of Chinese customers and offered to release the rest of them if there was interest, the lawsuit says.
On Oct. 17, Golem returned to the forum to say he had data about “wealthy families serving Zionism” that he was offering for sale in the aftermath of the deadly explosion at Al-Ahli Arab Hospital in Gaza City, the suit said. Israeli officials and Palestinian militants blamed each other for the explosion, but Israeli and American intelligence agencies contend that it was caused by a failed Palestinian rocket launch.
The plaintiffs are seeking a jury trial and unspecified compensatory, punitive and other damages.
“The current geopolitical and social climate,” the lawsuit argued, “amplifies the risks” to users whose data was exposed. Representative Josh Gottheimer, Democrat of New Jersey, called for an F.B.I. investigation into the breach earlier this month, noting the focus on Ashkenazi Jews.
“The leaked data could empower Hamas, their supporters, and various international extremist groups to target the American Jewish population and their families,” Mr. Gottheimer wrote in a letter to Christopher Wray, the F.B.I. director.
Ramesh Srinivasan, a professor in the department of information studies at the University of California, Los Angeles, said it was inevitable that these types of breaches would continue.
The question, he said, is whether companies will address them by taking serious precautions — tightening security or limiting data retention, for instance — or whether they will simply apply a Band-Aid by promising to do better next time.
“We’re staring into the abyss when it comes to the datafication of our lives,” he said.