In the aftermath of a colossal data breach affecting 6.9 million users, 23andMe finds itself entangled in more than 30 lawsuits from victims seeking accountability. 

Instead of addressing the solution to implement to address the victims' concerns, the genetic testing firm is now putting the blame on them.

TechCrunch obtained a letter sent to a group of victims, revealing 23andMe's attempt to evade responsibility.

Breaching the Breach: Understanding the Data Compromise

(Photo: Braňo from Unsplash) Almost 7 million users were affected by the data breach that hit 23andMe in 2023. Now, instead of addressing each concern of the victims, 23andMe blamed them for being responsible for their stolen data.

Acknowledging the hack in December, 23andMe disclosed that hackers had infiltrated the genetic and ancestry data of almost half of its customer base. 

"Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events," one of the lawyers who represents the side of the victims, Hassan Zavareei said in a letter sent to TechCrunch via email.

Initially targeting 14,000 accounts, the hackers exploited credential stuffing—a technique involving known passwords associated with targeted customers. 

Subsequently, they leveraged the DNA Relatives feature, compromising an additional 6.9 million users who had opted into data sharing.

Related Article: Genetic Testing Firm 23andMe Confirms Hackers Accessed 14,000 Customer Accounts, Including Ancestry Data

Victim-Blaming: 23andMe's Alarming Response

23andMe's letter to victims alleges that users "negligently recycled and failed to update their passwords," absolving the company of security lapses. This contentious stance prompted criticism, with legal experts terming it a "shameless" attempt to shift blame onto the breach victims.

Responding to the victim-blaming approach, Dante Termohs, one of the affected 23andMe customers, expressed his disdain, calling the company's behavior "appalling." 

The letter's assertion that stolen data couldn't cause monetary harm also drew scrutiny. Legal experts argue that the compromised data, even if excluding sensitive information, still poses risks and undermines 23andMe's accountability.

23andMe's Defensive Measures and Legal Maneuvers

Post-breach, 23andMe took corrective actions, resetting all customer passwords and implementing mandatory multi-factor authentication. However, the company's strategic change in terms of service aimed at complicating legal action by victims raised eyebrows. 

Legal professionals condemned the move as a "cynical" effort to shield the company from collective legal challenges.

Persistence of Legal Action

Despite 23andMe's attempts to mitigate fallout and reshape its legal landscape, the surge in class action lawsuits signals a significant challenge. 

The victims, unwilling to accept blame for the breach, are rallying against the company's tactics. As the legal battle intensifies, 23andMe's attempts to downplay the impact and deflect responsibility are met with increasing scrutiny.

Read Also: 23andMe Leak: Hacker Claims to Steal Millions of Users' Data-Here's How to Protect Yourself