23andMe breach: ‘Thousands’ seek to join B.C. class-action suit after 6.9M hacked

globalnews.ca:

Hackers were able to gain access to the personal information of 6.9 million 23andMe customers in a data breach, the company confirmed on Tuesday — representing nearly half of 23andMe’s reported user base of 14 million customers.

The genetic testing company, which offers health insights and ancestry information based on customer-submitted DNA collected by saliva swabs, said it learned of the hack in early October. After weeks of speculation, the true extent of the data breach has been revealed.

In some cases, users’ names, family trees, ancestry reports, locations, profile pictures and birth years were leaked. While the stolen data does not include DNA records, 23andMe told Global News in an email that the breach may have leaked “specifically where on (users’) chromosomes they and their relative had matching DNA.”

According to a proposed class-action lawsuit against 23andMe filed in B.C. Supreme Court, this stolen information was then put up for sale on the dark web.

The lead plaintiff in the lawsuit is an unnamed B.C. man, whose identity is protected under a publication ban, lawyer Sage Nematollahi told Global News.

Nematollahi’s firm KND Complex Litigation and Vancouver-based law firm YLaw Group are working together to pursue this class-action lawsuit.

Nematollahi said in a phone interview that “thousands” of Canadians have reached out to his law firm in the wake of the data breach, seeking to join the class-action suit. He said the volume of inquiries was “unprecedented” in his career.

The lawsuit alleges that 23andMe engaged in “willful, knowing or reckless conduct” by not implementing and maintaining proper data retention and data protection practices.

“As a result, they affirmatively exposed the highly sensitive and