23andMe delayed telling Ashkenazi Jews, Chinese their data was stolen

DNA testing provider 23andMe delayed notifying over 7 million people that a hacker targeting information of those with Ashkenazi Jewish and Chinese ancestry had sold their data on the dark web, according to a putative class action filed Friday in federal court.

23andMe, based in South San Francisco, did not return a request for comment on the allegations. Melvin et al. v. 23andMe Inc., 3:24-cv-00487-SK (N.D. Cal., filed Jan. 26, 2024).

Edelson PC managing partner Rafey S. Balabanian wrote in the complaint that the hacker compiled and leaked lists of data belonging to 1 million Jewish customers "expressly in retribution for the Israel-Hamas war" as well as 350,000 Chinese customers "upon request from a user with the alias 'Wuhan.'"

Edelson

Balabanian added that these lists generated significant interest from hackers worldwide and were shared numerous times. "The disclosure of the Jewish and Chinese lists threatens the safety and security of those customers and subjects them to harassment, vandalism, assault, and discrimination ... and given the Chinese government's long history of tracking Chinese citizens both in the country and abroad in the U.S., the data poses unique dangers for Chinese 23andMe customers who may become targets of the Chinese government's surveillance and intimidation apparatus," the attorney wrote.

In December, 23andMe revealed that it had suffered a security breach in which around 14,000 people were targeted. Days later, the company confirmed to TechCrunch that the personal information of almost 7 million people was accessed in the cyber attack. In a statement at the time, 23andMe said protecting its customers' data privacy and security remained a top priority and that it would continue to invest in safeguarding its systems.

Wade-Scott

However, Balabanian claimed that the data breach took place in October and that 23andMe put off notifying customers so it could change its terms and conditions and its arbitration clause. Furthermore, the biotechnology firm never told the 7 million affected individuals that their private genetic information was compromised on the dark web, he said.

According to the complaint, a hacker named "Golem" posted the Jewish customers' data on dark web forums and followed up with the Chinese customers' data after a user requested the information. Golem had an apparent antisemitic agenda, said Balabanian, as the posts included information about who the hacker called "wealthy families serving Zionism."

The filing also referenced another hacker named Dazhbog who uploaded the genetic data of 1 million U.S. customers in August. Noting that they were unaware if 23andMe knew of the incident, the plaintiffs said Dazhbog offered to sell 300 terabytes of company data for $50 million.

"For customers of Ashkenazi Jewish and Chinese ancestry, the stakes could not be higher ... In a climate where cyber threats loom large, the possibility that hackers could aggregate and trade-sensitive genetic information about vulnerable communities represents a harrowing breach of trust and personal security," wrote Balabanian. Edelson CEO Jay Edelson and firm partner J. Eli Wade-Scott also represent the plaintiffs.

23andMe is facing dozens of other lawsuits related to the security breach, including one filed last month by Kaplan Fox & Kilsheimer LLP and Stueve Siegel Hanson LLP. The complaint said the company deflected blame by telling users that hackers took advantage of recycled credentials. Paddy et al. v. 23andMe Inc., 3:23-cv-06698-EMC (N.D. Cal., filed Dec. 29, 2023).

Defended by Greenberg Traurig LLP, 23andMe filed a motion to consolidate the cases before the Judicial Panel on Multidistrict Litigation on Dec. 22.