After weakly apologizing for the data leak last October, 23andMe is going on the offensive.
We’re not talking about a hacked Netflix account. When hackers recovered the genetic data of millions of people registered on the genealogy site, many of them felt threatened or at least wronged. And with the barrage of lawsuits looming on the horizon, the site has radically changed its strategy, showing itself to be incredibly cynical with those who are still its clients.
The genetic data of nearly 7 million people in the wild…
On December 1, the company 23andMe, which allows its users to find loved ones and/or their origins using their genetic fingerprint, announced that approximately 14,000 accounts, or 0.1% of its customers, had been hacked. A serious problem, but one whose implications would not have been as serious for any other company. Because in addition to the nature of the data recovered, which is necessarily very sensitive, the very operation of the service offered allowed these hackers to recover infinitely more information than they should have.
The fault lies with one feature in particular, DNA Relatives Feature, which when activated by a user, automatically shares some of their information with those the service considers to be close to them, which makes it possible to find them. But it turns out that when it comes to DNA, you can have a lot of relatives. This is how, from 14,000 compromised profiles, the data leak extended to almost 7 million people in total, or half of the service’s customers.
23andMe’s lawyers made it clear that the very sensitive information thus recovered could in no way be used to pressure or ask victims for money, since it does not include a social security number, payment information, or other elements allowing them to be identified.
For 23andMe, they just had to be more careful
Leaks of more or less sensitive personal data are anything but rare among services with as many users as 23andMe. But the originality of this affair is that the company reacted quickly to cover itself as much as possible. This is how a few weeks after the hack, its T&Cs underwent a small, but notable modification… which prohibits or at least considerably complicates the possibility for its users to attempt collective legal action against the site.
A cynical change, which did not avoid numerous complaints from users. In an above-ground letter to one of these groups of complainants, the company simply explains that “users have reused compromised passwords and failed to update them after security incidents that are not related to 23andMe […] “This incident is therefore not related to alleged poor security measures by 23andMe.” The company has nevertheless, and only since this incident, imposed two-factor authentication on all its users.
In other words, for 23andMe, if the 7 million victims want to file a lawsuit, they only need to turn to the original 14,000 victims. We’ll see what the courts say.
Source : TechCrunch (1), TechCrunch (2)
21