DNA genetic testing company 23&Me allegedly knew about a cyberattack months before it was made public to its customer base, according to legal documents.
San Fransico-based biotechnology company 23andMe deals with crucial personal information including customer details, DNA, and family history of clients.
When the company was reportedly hit with a data breach in October 2023, it put nearly 7 million customers’ information at risk. According to a legal filing on Wednesday, September 27, 2023 that the DNA company sent to California’s attorney general, it is claimed that 23&Me may have known about the cyberattack months prior.
Data breach may have been known five months prior
An October 10 2023 filing with the U.S Securities and Exchange Commission revealed that the DNA testing company determined at the time that “the threat actor was able to access a very small percentage (0.1%) of user accounts in instances where usernames and passwords.” This equates to around 14,000 users affected in total.
Although the DNA company alerted the public in October 2023, the California attorney general filing claims that 23&Me knew about it months before. Within the document, a ‘Notice of Data Breach’ letter was provided which stated that the company believed the threat was orchestrated from “the period of late April 2023 through September 2022.”
Subscribe to our newsletter for the latest updates on Esports, Gaming and more.
Initially reported by TechCrunch, this would mean that for around five months, 23&Me already knew about the data breach, which originated as a threat posted on an unofficial 23&Me subreddit. Since this reveal, the company has not confirmed or provided reasoning as to why the cyber attack was allegedly dismissed for so long.
In recent developments, a class-action lawsuit against the company on behalf of Canadian-based law firms YLaw and KND Complex Litigation is being pursued, according to reports, in the Supreme Court of British Columbia. The lawsuit is a reaction to recent terms of service changes made by 23&Me since the data breach.
The update stipulates that customers must tell the company they disagree with the new TOS within 30 days, or they will be locked into the new terms. These changes could prevent 23&Me customers from suing the company, should another data breach occur in the future.