23andMe Faces Class Action Lawsuit Following Data Breach
In a move that has come to be expected following most cyberattacks, two victims of the recent 23andMe data breach have filed a class action lawsuit.
The suit, filed in U.S. District Court for the Northern District of California alleges negligence, invasion of privacy, unjust enrichment, and breach of implied contract.
“As a result of the data breach, plaintiffs and class members suffered injury and ascertainable losses in the form of the present and imminent threat of fraud and identity theft, loss of the benefit of their bargain, out-of-pocket expenses, loss of value of their time reasonably incurred to remedy or mitigate the effects of the attack, and the loss of, and diminution in, value of their [personal identifiable information],” alleged the lawsuit filed Oct. 9 filed by Monica Santana of Florida and Paula Kleynburd of New York
The plaintiffs said victims of the breach face “present and imminent threat of fraud and identity theft.” Recent reports have said an anonymous hacker has put the information from millions of customer accounts for sale, including email addresses, photos, gender, date of birth, and DNA ancestry.
Related: Hacker Puts 23andMe User Data Up for Sale on the Internet
The notification about the breach from 23andMe, a genetics test-kit company that offers ancestry and health reports after analyzing a customer’s saliva, was deficient, allege the plaintiffs because it did not address whether the threat has been contained or how the breach occurred.
Originally posted on Oct. 6, a blog entry from 23andMe said it has recently learned of suspicious activity and started an investigation. “While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked,” the company said.
23andMe said it exceeds industry data protection standards and attained multiple ISO certifications of its security program. The company said that since 2019 it has offered and encouraged customers to use multi-factor authentication.
The case is Santana v. 23andMe Inc., Northern District of California, No. 3:23-cv-05147.