Article Details
Scrape Timestamp (UTC): 2023-12-07 21:46:18.080
Original Article Text
Click to Toggle View
23andMe updates user agreement to prevent data breach lawsuits. As Genetic testing provider 23andMe faces multiple lawsuits for an October credential stuffing attack that led to the theft of customer data, the company has modified its Terms of Use to make it harder to sue the company. In October, a threat actor attempted to sell 23andMe customer data and, after failing to do so, leaked the data for 1 million Ashkenazi Jews and 4.1 million people living in the United Kingdom. 23andMe told BleepingComputer that the data was obtained through credential stuffing attacks to breach customer accounts. Using these limited numbers of accounts, the threat actors used the 'DNA Relatives' feature to scrape millions of individuals' data. In a recent update, 23andMe told BleepingComputer that a total of 6.9 million people were impacted by the breach — 5.5 million through the DNA Relatives feature and 1.4 million people through the Family Tree feature. Terms of Use updated to prevent lawsuits The breach has led to numerous lawsuits against the company, causing 23andMe to update its Terms of Use on November 30th to contain a provision stating that mandatory arbitration is required for all disputes, rather than jury trials or class action lawsuits. "These terms of service contain a mandatory arbitration of disputes provision that requires the use of arbitration on an individual basis to resolve disputes in certain circumstances, rather than jury trials or class action lawsuits," reads the updated Terms of Use. Emails sent to customers about this change state that users have up to 30 days of receiving the email notification to notify 23andMe at customercare@23andme.com that they disagree with the new terms. Those who send an email disputing the update will remain on the previous Terms of Service. Nancy Kim, a Chicago-Kent College of Law professor, told Axios this change in the Terms of Use will likely not protect 23andMe from lawsuits as it will be difficult to prove that they gave reasonable notice to opt out of the new terms.
Daily Brief Summary
Genetic testing provider 23andMe revised its Terms of Use following a significant data breach in October.
The breach involved a credential stuffing attack which compromised customer data and affected 6.9 million people.
Data leaked included customer details from the 'DNA Relatives' and 'Family Tree' features, impacting users mainly of Ashkenazi Jewish descent and those in the UK.
To mitigate future legal repercussions, the company introduced a mandatory arbitration clause to handle disputes, barring jury trials or class action suits.
Customers received notification of the changes with a 30-day period to disagree and preserve the original agreement terms.
Legal experts suggest the enforceability of these new terms may be questionable due to potential issues with reasonable notice to customers.