Three years after the scandal involving the genetic analysis service provider 23andMe, the judiciary is once again concerned with it. California Attorney General Rob Bonta essentially accuses the company of ignoring suspicious activity on its servers, failing to implement robust data protection measures and failing to adequately inform the public about the incident.
Read more after the ad
The lawsuit is directed against a “Chrome Holding,” which now owns 23andMe – but the focus is still on 23andMe. The genetic analysis provider still operates under this name today and offers the option of having your own DNA analyzed. Bonta refers to the results of the investigation, according to which 23andMe is said to have noticed strange activities on its servers well before the leak was officially announced in 2023. Accordingly, the company noticed a suspicious increase in login attempts on July 6, 2023; there were said to have been over a million successful logins to the same customer account within a single day. In addition, 1,300 login requests per minute are said to have come from a single IP address. Despite this critical warning signal, Bonta complains that 23andMe did not take any measures to protect its customer data.
Bonta: Warning signals months in advance
According to the lawsuit, on August 11, 2023, an offer of 23andMe customer data appeared on the Dark Web, which was also discussed in the 23andMe subreddit. The company also noticed this, but did not take any action or implement any further security measures. Investigations have shown that the attackers had access to the servers from April to August 2023. The attack is said to have been carried out using credential stuffing – i.e. stolen login data from 23andMe users for other websites, which are identical to those for 23andMe. The attackers also exploited a function of the 23andMe portal that was supposed to enable users to find “genetic relatives,” i.e. strangers with very similar DNA. The function was apparently implemented in such a way that initial access to 14,000 accounts at 23andMe ultimately enabled access to data from a total of seven million customers, one million of which, according to Bonta, come from California.
On October 1, 2023, customer data from 23andMe was offered for sale on the Dark Web, although the provider is said to have expressly pointed out that some of it was data from Ashkenazi Jewish and Chinese users. In a press release a few days later, 23andMe admitted the credential stuffing, but claimed that there had been no security incident – for Bonta, a gross deception of those affected, as was 23andMe’s general statement that customer data was in safe hands thanks to strong security precautions. 23andMe also warned its customers to use strong passwords and recommended two-factor authentication. The lawsuit, on the other hand, interprets this as the company shifting the blame onto its customers.
23andMe is said to have paid cybercriminals
What is explosive is what apparently happened behind the scenes in October 2023. While 23andMe publicly downplayed the incident, the company was said to have been in contact with the attacker and paid him money. Among other things, ensuring that harmful information regarding the data leak, which reveals information about security gaps at 23andMe, disappears from the Internet. The exact amount of money that was supposed to have flowed is not specified.
Bonta does not consider the described practices of 23andMe to be in accordance with various California data protection laws, including the Genetic Information Privacy Act, the Reasonable Data Security Law and the California Consumer Privacy Act. It is the second major lawsuit that California has filed against 23andMe since the fatal leak. The state also tried to prevent the sale of the company to an NGO run by ex-CEO and co-founder Anne Wojcicki last year.
Read more after the ad
The data leak scandal caused 23andMe to experience a massive drop in customer demand, initially causing the company to go bankrupt. This was followed by an auction under US insolvency law, in which the US pharmaceutical company Regeneron Pharmaceuticals emerged as the highest bidder, and Wojcicki’s NGO “TTAM Research Institute” (“Twentythree and Me Research Institute”) was also initially beaten out with its bid of 256 million US dollars. But at the last moment, Wojcicki came back with a new bid and ultimately won the contract for $305 million. California had sued against the sale because, in the US state’s view, it violated its Genetic Information Privacy Act, which prohibits the resale of genetic information.
Tech portal The Register attempted to obtain comment from 23andMe. Today, 23andMe is a network of Chrome Holding and TTAM Research. While Chrome Holding, against which the lawsuit is also ongoing, was not available for comment, the TTAM Research Institute distanced itself from the allegations in the lawsuit. It is a newly founded NGO that has nothing to do with the practices of the old, commercially run (and bankrupt) 23andMe organization. But the person who was and is at the head of both organizations is the same: Anne Wojcicki, whose name could become interesting in this legal dispute.
(nen)
