23andMe, the popular genetic testing company, has disclosed that a recent data breach compromised around 14,000 customer accounts, representing 0.1% of its customer base. The cyberattack also allowed hackers to access files containing profile information about other users’ ancestry shared through 23andMe’s DNA Relatives feature.
The company’s new filing with the US Securities and Exchange Commission provided additional details on the incident and explained that immediate measures were taken to locate the threat actor who claimed to have gained access to users’ profile information.
An investigation revealed that hackers gained access to a fraction of user accounts, primarily where usernames and passwords matched those compromised or available from other websites. The compromised accounts contained various information, including ancestry details and, for a subset, health-related information based on genetics.
Furthermore, the company stated that a significant number of files containing profile information about other users’ ancestry through the DNA Relatives feature were also accessed. 23andMe is working to remove this leaked information from the public domain to mitigate the impact.
In response to the breach, 23andMe has implemented measures to enhance user data protection, including a mandatory password reset for all users and the introduction of two-step verification.
The financial implications of the breach are estimated to result in one-time expenses between $1 million and $2 million during the fiscal third quarter, covering technology consulting services, legal fees, and third-party advisor costs. The breach has also led to multiple class-action claims against 23andMe in various jurisdictions, and the company is defending these cases while addressing notices under the California Consumer Privacy Act and inquiries from governmental officials and agencies.
While 23andMe believes its investigation into the matter is complete, it acknowledges the potential for new information to emerge and commits to updating information as required applicable law.
The company emphasized its commitment to protecting its users’ data and is in the process of notifying impacted users as required law. However, the full extent of the costs and impacts, including the availability of insurance coverage, remains uncertain.
As this situation unfolds, 23andMe aims to continue providing updates and maintaining transparency. The breach once again underscores the ongoing threat posed cyber attacks and the need for companies to remain vigilant in safeguarding sensitive user information.