A proposed class-action lawsuit against 23andMe could include more people in Canada than originally anticipated, experts say, after the genetic testing company said a data breach affected millions more customers than initially believed.
A statement from the company on Tuesday said hackers have gained access to roughly 6.9 million profiles on the site — nearly half its client base. Those profiles contain delicate personal data ranging from birth year, geographic location, health information and the percentage of DNA users share with their relatives.
Some clients found out about the breach through an email in early October, when the company initially said the hack affected a fraction of its users. One of those clients included a man in B.C., who is now leading a proposed class-action claim alleging 23andMe didn’t do enough to protect customer data. His identity is protected by a court order.
“It’s very intimate, the information that they have, and it honestly scared the hell out of me that they lost it,” said the man.
Experts have warned data breaches have become more common in an age where information is treated as currency, particularly when it comes to data that is highly sensitive and highly valuable, like genetic details. Some say the hack at 23andMe serves as a warning to those who are considering whether to hand over their data to testing companies.
“I would not do it and if anyone asked me, I would say, ‘do not do it,’ ” said Teresa Scassa, Canada Research Chair and Information Law and Policy at the University of Ottawa.
‘You’re giving them everything’
Like other genetic testing businesses, 23andMe uses saliva samples to generate reports around a customer’s ancestry as well as potential predispositions to certain health conditions.
Once results are complete, the California-based company shows users genetic matches who have also tested with the company — from parents to siblings to far-flung cousins.
The plaintiff in B.C. first used the service around 2018. Intrigued by the ancestry questions raised in his results, he encouraged “maybe a dozen or so” other people in his life to do the same — getting his wife on board and giving kits to family members at Christmas.
“There is regret,” he said in an interview Tuesday.
“You’re giving them everything. You’re basically giving them the raw code of yourself, if you will — you at your most finest essence.”
23andMe has not responded to the lawsuit in court. A statement did not say how many of the affected users live in Canada.
This fall, hackers initially got into around 14,000 accounts — or 0.1 per cent of the company’s client base — by using old, compromised passwords customers had recycled from other accounts on other sites, the company said in its disclosure to the U.S. Securities and Exchange Commission on Monday.
Hackers then used their access to those first accounts to get into roughly 5.5 million DNA relatives profiles, through which users can give certain pieces of information to other clients who might be a close DNA match.
Those profiles included a display name, recent login details, percentage of DNA shared with their relatives’ matches and predicted relationship with that person. They might have also included information like birth year, family tree, location and photos users added to their accounts.
Beyond that, hackers also accessed family tree profile information for roughly 1.4 million customers — accounts that also include display names and relationship labels.
“We do allege and we do believe that customers were not treated properly here [and] that they’ve been harmed,” said lawyer Sage Nematollahi, who is handling the proposed class action with KND Complex Litigation in Toronto.
Little financial recourse of clients, expert says
The company said it has not had any reports of data being used inappropriately to date. The statement said existing customers will be prompted to reset their passwords and that all customers will need to set up two-step verification moving forward.
As for next steps for customers, Scassa said users in Canada can file a complaint with their local privacy commissioner or consider a class-action lawsuit, like the one already filed in B.C. — though she warned both of those avenues are generally geared more toward incentivizing companies to do better than they are to paying clients.
“This kind of thing, it’s not often a lot of money. All of these recourses are aimed at, hopefully, ensuring it doesn’t happen again.”
Scassa said the best option would be to keep your data private as “genetic data can tell you a tremendous amount.”
“We’re in an environment where data is fuelling technologies that are incredibly powerful and impactful,” she said, noting that handing over sensitive, detailed data about yourself to somebody else when you don’t need to “is risky, quite frankly.”
The plaintiff in B.C. says he wants the company to atone for any negligence that might have contributed to the breach. The class action, which is open to clients living in Canada, is claiming damages for breaches of B.C.’s privacy and consumer laws, breach of contract and negligence.
None of the allegations in the lawsuit’s statement of claim have been proven in court. Class-action lawsuits must be certified by a judge before they can proceed.
“This company should be held liable and held to a standard and a duty to the clients when you have the most pertinent and valuable genetic information that I have,” the man said.
“I mean, I’m still getting emails that relatives have joined [the site],” he said. “They’re carrying on, business as usual.”