23andMe tells victims it’s their fault that their data was breached
23andMe tells victims it’s their fault that their data was breached, per TechCrunch.
Confronted with over 30 lawsuits from victims of its extensive data breach, 23andMe is reportedly attempting to shift blame onto the victims themselves to absolve itself of any responsibility, according to a letter sent to a group of victims, as reported by TechCrunch.
"Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events," commented Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe.
In December, 23andMe disclosed that hackers had stolen the genetic and ancestry data of 6.9 million users, constituting nearly half of its customer base. The data breach initiated with hackers gaining access to around 14,000 user accounts through a technique known as credential stuffing, where passwords associated with the targeted customers were brute-forced.
The subsequent access to the personal data of the other 6.9 million victims occurred because they had opted into 23andMe's DNA Relatives feature, enabling automatic data sharing with presumed relatives on the platform.
However, in a letter sent to a group of users suing the company, 23andMe contended that "users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe." The company asserted that the incident was not a result of its alleged failure to maintain reasonable security measures.
Zavareei criticized 23andMe for "shamelessly" blaming the victims and termed the finger-pointing as nonsensical. He argued that 23andMe should have implemented safeguards against credential stuffing, especially considering the sensitive information stored on its platform. He emphasized that millions of consumers had their data compromised through the DNA Relatives feature, not due to recycled passwords, and accused 23andMe of attempting to avoid responsibility by blaming its customers.