23andMe Blames Victims For Data Breach

Genetic testing company 23andMe, which is facing more than 30 lawsuits from the victims of a massive data breach, is claiming that the victims themselves are to blame for the loss of their own data, TechCrunch reports. 

In a letter to hundreds of 23andMe users suing the company, 23andMe said the victims “negligently recycled and failed to update their passwords” after past security incidents unrelated to 23andMe. “Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures.”

In December, genetic testing company 23andMe admitted that the genetic and ancestry data of 6.9 million users had been compromised. After the breach, 23andMe changed its terms of service, apparently in an attempt to pre-empt class action lawsuits and mass arbitration claims. That didn’t work.

23andMe is facing more than 30 lawsuits in US federal and state courts, and courts in British Columbia and Ontario, Canada. There is currently an effort to consolidate these cases into rough multi-district litigation.

Hassan Zavareei, one of the lawyers representing the victims who received the letter, told TechCrunch that 23andMe is “shamelessly” blaming the victims of the data breach.

“This finger pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available,” Zavareei said in an email to TechCrunch.