trusted form23andMe Faces Global Scrutiny After Data Breach |
23andme Data Breach Sparks International Investigations

23andMe Data Breach Sparks International Investigations

23andMe Data Breach Sparks International Investigations23andMe Data Breach Sparks International Investigations
23andMe headquarters

June 13, 2024

  • Privacy regulators in Canada, the UK, and Connecticut have launched investigations into 23andMe's data protection practices following a significant data breach
  • Several class-action lawsuits have been filed against 23andMe, alleging inadequate data security and insufficient response to the breach
  • The breach, caused by credential stuffing, led 23andMe to implement mandatory two-factor authentication and temporarily turn off their DNA Relatives tool to prevent further misuse


23andMe, a genetic testing company, is dealing with the consequences of a major data breach that exposed private information for nearly 6.9 million consumers. The breach, discovered in October 2023, has prompted severe questions regarding genetic data security and the company's response to the matter.

Escalation of Investigations

Privacy regulators in Canada and the United Kingdom have launched investigations to assess whether 23andMe's data protection measures were sufficient and to determine what could have been done to prevent the breach. Connecticut's Attorney General, William Tong, has requested further information and questioned the company's compliance with state data privacy regulations.

Several class-action lawsuits have been filed in response to the hack, with the plaintiffs claiming that 23andMe failed to secure their data and reacted inadequately to the incident. The lawsuits challenge the company's requirement for arbitration, aiming to allow users to pursue class-action suits instead​. Furthermore, 23andMe's recent revisions to their terms of service, which make it more difficult for consumers to join class-action lawsuits, have sparked criticism.

Details of the Data Breach

The data breach was caused by a credential-stuffing assault in which attackers accessed 23andMe accounts using lists of usernames and passwords from other hacked sites. Hackers used the DNA Relatives tool to access user data such as names, birth dates, geographic regions, and genetic heritage.

Company's Response

In reaction to the hack, 23andMe imposed obligatory two-factor authentication (2FA) for all users, as well as password reset requirements. The business has temporarily deactivated the DNA Relatives tool to avoid future breaches. Critics believe these protections were added too late, highlighting the company's lack of solid security processes.

Future Implications

The 23andMe data leak highlights the need for robust cybersecurity safeguards, particularly for organizations dealing with sensitive genetic information. As investigations continue, the corporation will face obstacles in repairing their image and protecting their consumers' data. 23andMe must commit to strong security procedures and honest communication in the future to rebuild user confidence and meet regulatory standards.

Recent Posts