23andMe Failed To Warn Customers Targeted in a Data Breach

Millions of Chinese and Ashkenazi Jewish 23andMe users had their information stolen in a data breach that rocked the biotechnology company in 2023. A lawsuit alleged the company failed to inform these customers they were specifically targeted due to their race—and now the company has agreed to a potential $30 million settlement.

In January 2024, a class action lawsuit was filed against genetic testing company 23andMe regarding a 2023 data breach. The devastating cyberattack compromised the privacy of nearly half of 23andMe’s 15 million customers and was allegedly caused by the company’s failure to adequately protect customer data. Even more concerning, plaintiffs claim 23andMe neglected to inform their customers of a disturbing finding: Reportedly, hackers specifically targeted customers with Chinese and Ashkenazi Jewish ancestry, compiled their information into “specially curated lists,” and sold their data on the dark web. 

According to the suit, the attack seems to have been racially motivated, fueled by anti-Chinese and antisemitic sentiments. Hackers admitted to targeting those with Ashkenazi Jewish ancestry “expressly in retribution for the Israel-Hamas war” in a plot to expose “wealthy families serving Zionism.” The hackers’ reasons for targeting those with Chinese ancestry were not expressly stated. 

23andMe stated the data breach began in April 2023 and lasted around 5 months. In a Notice of Data Breach letter, the genetics company claims to have learned of the cyberattack on October 1st of that year after a comment was posted on Reddit containing stolen customer information. In an October blog post on 23andMe’s website, the company informed customers that hackers succeeded in accessing data from 14,000 user accounts in what they called a “credential stuffing incident.” They essentially claimed that users chose the same usernames and passwords across websites, allowing threat actors to obtain their login information from previously compromised sites and gain access into their 23andMe accounts. The company denied the attack occurred due to failures within their own security systems.

Two months later in December 2023, 23andMe revealed a shocking update in an email to TechCrunch—the breached accounts had been used to steal the personal information of almost 7 million other customers. Hackers exploited 23andMe features that allowed customers to automatically share personal information with other site users. Upon accessing the compromised customer accounts, the bad actors were able to tap into a massive source of private information. Among the stolen details was raw genotyping data and other highly sensitive information tying users to specific ethnic groups, which hackers used to isolate and exploit their targets: those with Ashkenazi Jewish and Chinese ancestry. However, 23andMe statements never mentioned the apparent racial motivation behind the attacks—a silence that rang loudly to customers whose data was stolen.

The effects of the data breach and 23andMe’s purported failure to inform could have serious consequences—especially given the affected users’ positions as members of marginalized groups. Rafey S. Balabanian, one of the lawyers who filed the lawsuit on behalf of the plaintiffs, wrote, “For customers of Ashkenazi Jewish and Chinese ancestry, the stakes could not be higher.” He calls the events a “harrowing breach of trust and personal security” and worries the leaked information could be used to harass, vandalize, assault, and further discriminate against these already at-risk communities. Had they been adequately warned, these customers could have taken additional steps to better protect themselves and their family members. 

Stories of affected customers illustrate the gravity of these implications. Excited to learn about his ancestry, a man identified as JL didn’t think twice about providing a saliva sample to 23andMe for a snapshot of his heritage several years ago. He was surprised to learn from his ancestry report that he was part Ashkenazi Jewish. After hearing about the data breach, JL is worried that his curiosity and trust in 23andMe could put his safety—and the safety of his family members—at risk. “I didn’t know my family was going to potentially be a target. I may have put my family and myself in danger for something I did out of curiosity more than anything,” he said, echoing the sentiment of many impacted 23andMe customers.

The 23andMe lawsuit raises distinct privacy concerns for affected 23andMe users with Chinese ancestry, referencing the Chinese government’s record of monitoring and surveilling Chinese dissidents both domestically and abroad. If the leaked information were to fall—or be sold—into the wrong hands, plaintiffs worry it could put a target on the backs of 23andMe customers with Chinese heritage. It also raises concern about misuse by authoritarian regimes and private actors aiming to harm individuals of Chinese descent.

23andMe has decided it is in the best interest of its customers to settle the class action lawsuit. In September 2024, the personal genomics company agreed to a potential settlement of $30 million, an amount the company called fair and reasonable. They expect cyber insurance to pay around $25 million of this amount. In addition to cash payouts, 23andMe is also planning to offer affected customers a three-year enrollment in a privacy program called Privacy & Medical Shield + Genetic Monitoring.

For some, the prospect of a settlement is a relief—a step forward toward healing after the trust-shattering cyberattack. Others think it’s too little too late, viewing it as another “slap on the wrist” to big corporations that fail to protect the sensitive information of their consumers. This case echoes the public’s growing concerns around the implications of sharing sensitive genetic information—and its impact on 23andMe’s image and financial outlook serves as a powerful reminder of the importance of data security for companies.