A letter from 23andMe’s legal team indicates that the company will attempt to defend its massive October data breach by blaming its customers for recycling their passwords.
While the claim may seem absurd on its face, data protection law (or lack thereof) may actually be on the company’s side to some degree. The incident raises questions about what the exact level of legal obligation is for companies, but also whether pushing back in this way will be worth the inevitable serious PR blow and loss of business.
23andMe blames “negligent” users, denies data breach
23andMe’s defense appears a bit bizarre and contradictory. The lawyers spend much of the letter (addressed to the attorneys handling the class action suit) denying that a data breach took place, at least within the strict definitions of California and Illinois privacy law. But they also claim that negligent users were responsible for the loss of data. Apparently 23andMe feels that there wasn’t a breach, but if there was, it was the fault of all of its users. Also, the users have no right to be concerned because financial information and Social Security numbers were not involved.
There is perhaps some case for negligence to be made for the 14,000 accounts that were initially compromised with credential stuffing attacks. The usernames and passwords are believed to have been obtained from prior data breaches at other online services. That point becomes infinitely more strained for the 6.9 million other users, about half of the company’s total global customer base, that also had data exposed after the hackers gained that initial access.
23andMe also did not mandate that users apply a 2FA method until after the breach, and there is no indication that it ever scanned user passwords for matches to dark web leaks and notified customers about them. While the privacy laws do not require those things, it is a reasonable expectation given the sensitivity level of so much stored DNA data.
The company also appears to have altered its terms of service after the breach, specifically to head off mass claims. It has always required users to agree to arbitration before bringing a suit, but made recent changes to make it harder to organize mass arbitration. The class action suits are challenging the legitimacy and enforceability of these terms.
Ultimately the court’s determination might not hinge on just what the relevant state privacy laws say, but also what a publicly traded company’s fiduciary duty is in terms of data security, particularly when the stolen material could be classified as “biological” or “medical” in nature. And unlike credit card or bank account numbers, stolen DNA information cannot be changed after the fact.
Users blamed for opting in to family-linking features
Perhaps the worst bit of the 23andMe letter is the part in which it is implied that because users opted in to the “DNA Relatives” and “Family Tree” features that were abused for data scraping, they are somehow responsible for agreeing to make that information public. Obviously, users never intended for that information to be taken off-platform and sold on dark web sites. Data stolen by this means includes full name, birth year, self-reported location, DNA composition and family structure, and ancestry reports.
23andMe seems committed to this as their means of legal defense in the data breach suit, no matter how legally viable it might be or how much PR damage it might do. It will be interesting to see if the company actually improves its position in any way after following this course of action.