23andMe Faces Backlash for Blaming Victims in Wake of Massive Data Breach
23andMe, the popular DNA testing company, is facing severe criticism for deflecting blame onto the victims of its recent massive data breach, as described in a January 3, 2024 TechCrunch article. The company, which recently admitted to an October 2023 security breach compromising the genetic and ancestry data of 6.9 million users, is now under fire for attempting to absolve itself of any responsibility by pointing fingers at its customers.
Legal Backlash and Criticism:
TZ Partner Hassan Zavareei, one of the lawyers handling the lawsuits against 23andMe, expressed outrage at the company’s attempt to blame the victims, stating, “Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events.” He emphasized that the breach impacted millions of consumers who had their data exposed through the DNA Relatives feature, not because of recycled passwords. IT and information security news outlets have made hay with the data breach, musing that perhaps the company should have protected users’ data better. The potential consequences of DNA data theft are nonzero, and a privacy advocacy organization commented, “From our health profiles to our family trees to far subtler details of our biology, this hack could potentially reveal so much.”
Blaming the Victims:
In response to the legal actions, 23andMe sent a letter, asserting that the breach was not a result of the company’s failure to maintain reasonable security measures. Instead, the company claimed that users were at fault for negligently recycling and failing to update their passwords.
Hassan Zavareei condemned this move as “finger-pointing,” adding,
“23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform […] 23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever.”
Changing the Terms of Service:
In an apparent attempt to protect itself from class action lawsuits, 23andMe made changes to its terms of service after disclosing the breach.
23andMe’s response to the data breach, shifting blame onto its customers, and attempting to downplay the severity of the incident, has sparked widespread condemnation. As the legal battle unfolds, the company faces not only the repercussions of the data breach but also growing criticism for its handling of the aftermath and attempts to shield itself from legal consequences.
If you were affected by the 23andMe data breach, learn more and sign up to protect your rights here.
- TechCrunch, “23andMe tells victims it’s their fault that their data was breached”
- Fox Business, New York Post, “23andMe blames users for data breach, citing recycled passwords”
- Gizmodo, “23andMe to Data Breach Victims: It’s Your Fault!”
- Tech Radar, “23andMe blames users for security breach, says they should have been better at passwords”
- Business Insider, “Genetic testing giant 23andMe is reportedly turning the blame back on its customers for its recent data breach”
- Inc., “The Fault in Your Genes: 23andMe Blames Customers for Data Thefts”
- Times of India, “Why this company is blaming its customers for data breach”
- The Messenger, “DNA Testing Company 23andMe Blames Its Users for Data Breach”
- Gillett News, “23andMe Faces Lawsuits and Shifts Blame onto Victims Following Data Breach”
- Fudzilla, “23andMe blames victims for massive data breach”
- Tech Times, “23andMe Blames Victims on Recent Data Breach Incident Concerning 6.9 Million Users”
- Proactive Australia, “23andMe faces backlash for blaming customers for data breach”
- iTech Post, “23andMe Allegedly Shifts Blame to Victims of Massive Data Breach”
- Blaze Media, “23andMe blames victims for data breach, claiming users ‘recycled’ passwords”
- Infosecurity Magazine, “23andMe Blames User ‘Negligence’ for Data Breach”
- The Register, “Infosec experts divided over 23andMe’s ‘victim-blaming’ stance on data breach”
- Ars Technica, “23andMe told victims of data breach that suing is futile, letter shows”
- SC Magazine, “23andMe says users’ bad password hygiene to blame for leak affecting 6.9M”
- Digit.fyi, “23andMe Says Breach Victims Are to Blame, Legal Action is Futile”
- TechSpot, “23andMe is now blaming users and their recycled passwords for data breach”