23andMe to Data Breach Victims: It’s Your Fault!

What happens when a company loses a bunch of user data? Typically, they apologize and sheepishly beg for forgiveness. Not so with 23andMe. The popular genomics company, which suffered a pretty terrible data breach last year, has instead opted to tell pissed off customers that they probably should’ve picked a better password if they didn’t want their data boosted.

To clarify, 23andMe is currently being sued—or, more accurately, legally attacked—by a large number of people due to the fact that droves of user accounts were compromised by cybercriminals last year. News of the breach originally broke in October, when customer data was posted for sale on the dark web. At that point, 23andMe told the public that only about 14,000 accounts had been compromised. However, later investigation revealed that, due to an internal data-sharing feature linked to those accounts, the real number of impacted people was probably something like 6.9 million.

So, yeah, people are naturally pretty pissed and, as a result, are trying to sue the genomics company. The keyword here is “trying” because, due to some controversial inclusions in 23andMe’s terms of service agreement, mass litigation (like a class-action lawsuit) is quite difficult to achieve. Instead, the company’s TOS stipulates that users must forego the opportunity to sue the company and instead try their hand at “forced arbitration,” an alternative legal pathway that experts contend is heavily weighted in favor of corporations. Still, a number of class-action lawsuits have been filed against the company, apparently in an attempt to override the company’s original agreement.

Humorously enough, not only is 23andMe opting to stay out of court, but it also seems to be denying it was the primary wrongdoer in the data breach. Case in point: On Wednesday, TechCrunch reported on a letter that the genomics company had sent to the law offices of one of the firms handling a lawsuit against it, Tycko & Zavareei LLP, in which it seemed to deny wrongdoing and, in some instances, pointed the finger back at impacted customers. The letter, which was sent to the law firm’s offices, says, in one such passage:

“…users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe…Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures…”

In other words, 23andMe appears to be saying that this whole data debacle isn’t really its fault. This is consistent with what the company has previously stated, which is that the real culprit of the entire affair was bad account security and that its own systems were never breached by the criminals. However, critics have pointed out that 23andMe should have probably required users to use multi-factor authentication—an industry standard security practice that it failed to abide by prior to the breach. The company only instituted mandatory 2FA after users’ data was stolen.

In response to 23andMe’s letter, lawyer Hassan Zavareei told Gizmodo that “23andMe disclaims all liability for the breach and shamelessly blames its customers for the breach on the ground that the data was stolen through the accounts of customers who recycled login credentials from other sites.”

In a phone conversation, Zavareei also pointed to the fact that 23andMe had recently updated its TOS to make the arbitration process more onerous and difficult to navigate. Other legal experts agree that the company’s recent contractual changes have made it more difficult for impacted users to band together and pursue “mass arbitration,” a process that would be a more akin to a class-action suit and thus, more advantageous and convenient for victims.

Is there a way around the arbitration clause? According to Zavareei, there are some hypothetical scenarios in which victims could pursue traditional litigation.

“They [23andMe] could wave arbitration and just agree to litigate in court and not invoke the arbitration clause,” said Zavareei. “We don’t have any indication that is their intent. They could do that if they just wanted to resolve everything all at once rather than having thousands of arbitration [cases].” The lawyer also said that plaintiffs in those cases could “challenge the arbitration clause and say that the arbitration clause is unenforceable. There are a number of [legal] arguments that once could make that the clause is unenforceable and unconscionable.”

In other words, 23andMe could decide to chance a more traditional litigation process if it thinks that would be a simpler than handling droves and droves of individual arbitrations. Or, hypothetically, impacted customers could contest the company’s arbitration clause. That said, both of those possibilities don’t seem particularly likely.

Gizmodo reached out to 23andMe for comment but did not hear back. We will update this story if it responds.

What happens when a company loses a bunch of user data? Typically, they apologize and sheepishly beg for forgiveness. Not so with 23andMe. The popular genomics company, which suffered a pretty terrible data breach last year, has instead opted to tell pissed off customers that they probably should’ve picked a better password if they didn’t want their data boosted.

To clarify, 23andMe is currently being sued—or, more accurately, legally attacked—by a large number of people due to the fact that droves of user accounts were compromised by cybercriminals last year. News of the breach originally broke in October, when customer data was posted for sale on the dark web. At that point, 23andMe told the public that only about 14,000 accounts had been compromised. However, later investigation revealed that, due to an internal data-sharing feature linked to those accounts, the real number of impacted people was probably something like 6.9 million.

So, yeah, people are naturally pretty pissed and, as a result, are trying to sue the genomics company. The keyword here is “trying” because, due to some controversial inclusions in 23andMe’s terms of service agreement, mass litigation (like a class-action lawsuit) is quite difficult to achieve. Instead, the company’s TOS stipulates that users must forego the opportunity to sue the company and instead try their hand at “forced arbitration,” an alternative legal pathway that experts contend is heavily weighted in favor of corporations. Still, a number of class-action lawsuits have been filed against the company, apparently in an attempt to override the company’s original agreement.

Humorously enough, not only is 23andMe opting to stay out of court, but it also seems to be denying it was the primary wrongdoer in the data breach. Case in point: On Wednesday, TechCrunch reported on a letter that the genomics company had sent to the law offices of one of the firms handling a lawsuit against it, Tycko & Zavareei LLP, in which it seemed to deny wrongdoing and, in some instances, pointed the finger back at impacted customers. The letter, which was sent to the law firm’s offices, says, in one such passage:

“…users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe…Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures…”

In other words, 23andMe appears to be saying that this whole data debacle isn’t really its fault. This is consistent with what the company has previously stated, which is that the real culprit of the entire affair was bad account security and that its own systems were never breached by the criminals. However, critics have pointed out that 23andMe should have probably required users to use multi-factor authentication—an industry standard security practice that it failed to abide by prior to the breach. The company only instituted mandatory 2FA after users’ data was stolen.

In response to 23andMe’s letter, lawyer Hassan Zavareei told Gizmodo that “23andMe disclaims all liability for the breach and shamelessly blames its customers for the breach on the ground that the data was stolen through the accounts of customers who recycled login credentials from other sites.”

In a phone conversation, Zavareei also pointed to the fact that 23andMe had recently updated its TOS to make the arbitration process more onerous and difficult to navigate. Other legal experts agree that the company’s recent contractual changes have made it more difficult for impacted users to band together and pursue “mass arbitration,” a process that would be a more akin to a class-action suit and thus, more advantageous and convenient for victims.

Is there a way around the arbitration clause? According to Zavareei, there are some hypothetical scenarios in which victims could pursue traditional litigation.

“They [23andMe] could wave arbitration and just agree to litigate in court and not invoke the arbitration clause,” said Zavareei. “We don’t have any indication that is their intent. They could do that if they just wanted to resolve everything all at once rather than having thousands of arbitration [cases].” The lawyer also said that plaintiffs in those cases could “challenge the arbitration clause and say that the arbitration clause is unenforceable. There are a number of [legal] arguments that once could make that the clause is unenforceable and unconscionable.”

In other words, 23andMe could decide to chance a more traditional litigation process if it thinks that would be a simpler than handling droves and droves of individual arbitrations. Or, hypothetically, impacted customers could contest the company’s arbitration clause. That said, both of those possibilities don’t seem particularly likely.

Gizmodo reached out to 23andMe for comment but did not hear back. We will update this story if it responds.