DNA testing giant 23andMe has agreed to pay $30 million to settle a lawsuit over a data breach that exposed the personal information of 6.4 million customers in 2023.

The proposed class action settlement, filed Thursday in a San Francisco federal court and awaiting judicial approval, includes cash payments for affected customers, which will be distributed within ten days of final approval.

“23andMe believes the settlement is fair, adequate, and reasonable,” the company said in a memorandum filed Friday.

  • @[email protected]
    link
    fedilink
    203 months ago

    https://www.bleepingcomputer.com/news/security/genetics-firm-23andme-says-user-data-stolen-in-credential-stuffing-attack/

    The information that has been exposed from this incident includes full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location.

    The threat actor accessed a small number of 23andMe accounts and then scraped the data of their DNA Relative matches, which shows how opting into a feature can have unexpected privacy consequences.

    • Usernames Profile Photos DoB

    They can be linked to other online accounts. This allows for phishing, potentially scamming or getting additonal information on them which can lead to more sophisticated/personalised scams. Older, less tech savvy users are better targets for scammers.

    • Username Sex DoB Genetic Ancestry Location data

    Data aggregators can sell this info to Health Insurance Companies or any other system who can then discriminate based on genes sex age or location

    • All of this information

    Can contribute to people committing fraud with their information if they collect enough information from different sources.

    • DNA relatives

    Having enough information about a user to use it to target their now known relatives in personalised scams.

    The people that did this probably didn’t know what information they were going to get, maybe they were hoping for payment info, and settled for trying to just sell what they got.

    Any information, no matter how useless it might seem, is better than no information and enough useless information in the wrong hands can be very valuable.

    Theres countless data breaches every year and people will collect it all and link different accounts from different breaches until they have enough information. Most people use the same email address for every website and a lot of people reuse the same passwords, which is how this data leak occurred. Knowing that these users reuse the same email/password combination here means theres a very good chance they’ve reused it elsewhere.

    You can check out what data breeches have occured and if your email or password has been posted in any of these dumps here https://haveibeenpwned.com/

    Once the information is out there, its out there for good and what might seem trivial now to you could be valuable tomorrow to someone else

    • lattrommi
      link
      fedilink
      English
      63 months ago

      To add more possibilities/perspectives to the above:

      The security question I’ve seen most in my life has probably been “What is your mothers maiden name?” which becomes fairly easy to guess with family history.

      Ancestry information can reveal who is inbred.

      It also can reveal politicians commiting nepotism.

      Geographic location can show if someone lives in a redlined neighborhood or the part of town with all the mansions.

      Simply the fact that an account exists on 23andme’s website, implies someone took the test, which indicates they (or someone they know) has disposable income. Enough to pay for such a test (initially I believe it was $400 but I could be wrong) and that also implies they have some form of internet access and that they probably own a smartphone/computer/laptop/some kind of technology they can use to access their account. Thus they could be targeted simply for having potential income/assets above that of poverty level.

      If actual DNA data was comprimised, which I doubt happened but suppose it did, an advanced enough attacker could use that to plant evidence at a crime scene. Who would believe a whistleblower after their DNA was found on a rape victim? Who would vote for a politician whose DNA was found on a murder weapon used to kill dozens of missing persons? They can scream “fake news!” all they want to, once that seed of doubt has been planted, once enough people are made to believe someone is guilty of some atrocity, it is hard to shake that belief. The DNA evidence is there. It was tested by scientists.

      I could come up with more far fetched scenarios too. I made a list of them once because a family member purchased one of the 23andme tests for me to take. They did not understand why I refused to take the test. The reason was because a decade and a half prior, I was charged with a crime. The crime doesn’t exist anymore where I live (illegal botany) but at the time it could have been a felony. I did not want to have a felony. Felons had their DNA added to a federal database to assist investigators in finding repeat offenders. I fought hard to ensure I was not convicted with a felony and succeeded by pleading to lesser charges.

      The idea of having my DNA on file with a government agency like the FBI, CIA or NSA terrifies me. A malicious agent could do a lot of damage with it. They could invent threats with it to ensure I comply with their demands. The amount of possible damage they could inflict grows every day with new technology. DNA, gait and facial recognition, geofence data and an AI trained to make deepfakes, in the hands of a shadowy alphabet agency with little oversight, that’s fairly unstoppable by a single person. Imagine if anyone could get their hands on that. A disgruntled coworker. An obsessive ex. A hormonal teen child having a temper tantrum.

      I know this is long and extreme in parts. I hope this helps people understand that DNA data is powerful and could be abused in unimaginable ways.