23andMe Claims Victims Are To Blame For Data Breach

Instead of taking accountability for a massive data breach that occurred last year, ancestry company 23andMe said the victims of the incident are the ones to blame.

In a letter the company sent recently to users who have filed a lawsuit against 23andMe, the company wrote that “no breach occurred.”

The letter, which TechCrunch obtained, reads that the company has reason to believe that the bad actors who accessed user data were able to do so because users “recycled” passwords. In other words, they used username and password combinations at 23andMe that they also used at other sites that were hacked.

“Users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” the letter reads.

The company further claims they were in violation of no laws as a result of the breach, specifically mentioning the Illinois Genetic Information Privacy Act, the California Confidentiality of Medical Information Act and the California Privacy Rights Act.

The company wrote the breach “was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA.”

Once the company discovered that the data breach had occurred in October, it instantly ended all users’ active sessions. Users were then required to change their password if they wanted to log back in.

One month later, 23andMe instituted mandatory two-factor authentication for all accounts, something that before then was only optional.

In a blog post published in December, 23andMe officials wrote that hackers were able to access DNA Relatives profiles on its site. These profiles contain information such as predicted relationships with other users, a percentage of a user’s DNA that they might share with other genetic matches and display names.

Users must turn the feature on for it to be active, the company wrote, so the hackers wouldn’t have been able to access it if the user didn’t act first.

Not surprisingly, Hassan Zavareei, an attorney who is representing the victims in the lawsuit, said the company is “shamelessly” blaming users for being hacked.

“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” he said.