Facing a deluge of more than 30 lawsuits from individuals impacted by a substantial data breach, genomics company 23andMe has taken a defensive stance by placing responsibility on the victims themselves.
The breach came to light in October when customer data surfaced for sale on the Dark Web.
Presently, 23andMe is contending with numerous legal actions filed by individual victims, as the cyberattack compromised the user accounts of nearly 7 million users, marking a significant breach in the company's security.
Amidst over 30 legal actions filed by individuals affected by its extensive data breach, 23andMe has adopted a strategy of shifting culpability onto the victims, seeking to exonerate itself from any liability.
This development was communicated in a letter addressed to a cohort of victims.
Hassan Zavareei, a legal representative for the victims who received the letter from 23andMe, expressed concerns that rather than accepting responsibility for the data security breach, the company appears to be distancing itself from its customers and downplaying the severity of the situation.
This comes after 23andMe disclosed in December that hackers had unlawfully accessed the genetic and ancestry data of 6.9 million users, constituting nearly half of its customer base.
The inception of the data breach involved hackers initially gaining entry to approximately 14,000 user accounts.
The perpetrators employed a method known as credential stuffing, wherein they forcefully accessed these initial accounts by employing passwords already identified as linked to the targeted customers.
After infiltrating a mere 14,000 customer accounts initially, the hackers proceeded to extract personal data from an additional 6.9 million customers whose accounts were not directly compromised.
In correspondence addressed to a collective of hundreds of 23andMe users currently pursuing legal action against the company, 23andMe asserted that the users in question had, according to the company, negligently reused and neglected to update their passwords in the aftermath of previous security incidents.
Notably, 23andMe contended that these prior incidents were unrelated to the company's own security measures.
Following the receipt of 23andMe's letter, Dante Termohs, an affected customer of the data breach, expressed his dismay to TechCrunch, stating that he finds it reprehensible that 23andMe is seemingly evading accountability rather than offering assistance to its customers.
23andMe's legal representatives put forth an argument asserting that the pilfered data lacks the capacity to cause monetary harm to the victims.
This Cyber News was published on www.cysecurity.news. Publication date: Sat, 06 Jan 2024 18:13:04 +0000