23andMe Holding Co (NASDAQ:ME) Jewish and Chinese Users

Rhea-AI Summary

On June 11, 2024, 23andMe (NASDAQ:ME) revealed a December 2023 data breach that compromised the personal information of 7 million users. Hackers specifically targeted the genetic data of Jewish and Chinese customers, hiding these details from the public. The breach led to a class action lawsuit, alleging that 23andMe failed to inform affected users. The hackers sold the stolen data on the dark web, posing significant safety risks, especially for Chinese citizens. The company blamed recycled login credentials for the breach and delayed its full disclosure until December 2023.

Positive

• 23andMe has a broadly used genetic services platform with 7 million users, indicating a significant market presence.

Negative

• The data breach affected 7 million users, exposing sensitive personal genetic information.
• Hackers specifically targeted Jewish and Chinese users, exacerbating the breach's impact.
• The company failed to fully disclose the breach details promptly, leading to a class action lawsuit.
• The resale of data on the dark web poses long-term safety risks for affected individuals.
• The breach could lead to a loss of customer trust and potential loss of future revenue.
• 23andMe blamed users for the breach, potentially damaging its reputation further.

Insights

Legal Expert

The disclosure of a systemic cyber attack targeting a significant portion of 23andMe's user base, specifically Jewish and Chinese individuals, adds multiple layers of complexity to an already critical situation. From a legal standpoint, the severity increases due to the alleged intentional concealment of vital information from affected users, which could heighten liabilities in the ongoing class action lawsuit. Failure to notify users fully about the nature and extent of the breach might be interpreted as negligence or willful misconduct.

This case will likely call into question 23andMe's adherence to data protection regulations like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA). Penalties for non-compliance can be substantial, with GDPR fines reaching up to 4% of annual global turnover, while under CCPA, fines can range from $100 to $750 per consumer per incident. Additionally, regulatory scrutiny could lead to further investigations and sanctions, exacerbating the company's financial and reputational damage.

For investors, the implications are significant. Legal outcomes could result in substantial settlements or penalties, directly impacting financial performance. The increased regulatory scrutiny may also lead to higher compliance costs in the future, affecting profit margins. Furthermore, the possibility of additional breaches or vulnerabilities being exposed could result in long-term damage to customer trust and brand value.

It's important to consider that ongoing litigation often results in prolonged uncertainties, which may manifest in share price volatility. Investors should be cautious about the potential for hidden liabilities and the broader impact on the company's operational effectiveness during this tumultuous period.

Cybersecurity Analyst

The breach of 23andMe's system to target specific ethnic groups highlights substantial deficiencies in the company's cybersecurity infrastructure and response protocols. The ability of hackers to identify and exploit such specific vulnerabilities indicates a potential lapse in data encryption and segmentation. Effective cybersecurity measures should ensure that sensitive information is anonymized and protected from such targeted attacks.

Moreover, the delay in notifying users about the true extent of the breach suggests inadequate incident response procedures. Best practices in cybersecurity dictate that companies should have robust incident response plans to quickly identify, contain and communicate breaches to affected customers transparently. The lack of timely and thorough communication not only exacerbates the breach's immediate damage but also undermines long-term trust in the company's ability to safeguard personal data.

This breach will likely necessitate a comprehensive overhaul of 23andMe's cybersecurity policies and practices, leading to increased short-term costs and potential disruptions. For investors, this could translate into reduced profitability as the company reallocates resources towards strengthening its cybersecurity defenses. Additionally, the reputational damage and loss of customer trust can have prolonged negative effects on customer acquisition and retention rates.

On a broader scale, this incident serves as a stark reminder of the importance of cyber resilience in protecting consumer data. Companies in the genetic testing space must prioritize robust security frameworks to prevent similar breaches and maintain consumer confidence.

Market Research Analyst

The revelation of this targeted data breach has serious implications not just for 23andMe, but for the broader market of genetic testing services. Trust is a fundamental cornerstone in the genetic testing industry, where consumers share their most intimate data. The breach, combined with the alleged concealment of its details, is likely to erode consumer trust not just in 23andMe but potentially in the industry as a whole.

In the short term, we can expect a negative impact on customer acquisition and retention rates for 23andMe, as current and potential customers may hesitate to use the service due to fears about data security. Competitors may seize this opportunity to position themselves as more secure alternatives, potentially capturing market share from 23andMe.

Long-term impacts include potential shifts in consumer behavior, with more individuals prioritizing companies that demonstrate robust data protection practices. Regulatory bodies might also intensify scrutiny on genetic testing companies, leading to stricter compliance requirements and higher operational costs across the industry.

For investors, the key concern is the potential long-term decline in consumer confidence and the associated impact on revenue growth. Investors should closely monitor customer feedback, regulatory responses and the company's actions to address these issues. Effective crisis management and transparent communication will be critical in mitigating the fallout and rebuilding trust.

NEW YORK, NY / ACCESSWIRE / June 11, 2024 / 23andMe (NASDAQ:ME) was hacked in December 2023, affecting approximately 7 million users of its genetic services website. According to a recently filed class complaint, hackers who infiltrated 23andMe's system were after the personal information of Jewish and Chinese customers, but the company hid that detail when notifying affected customers.

The hackers specifically targeted the personal genetic information of Jewish and Chinese customers and compiled that data - including genetic heritage, names, and addresses - into lists that were then sold on the dark web, but 23andMe concealed both those revelations when it announced the extent of the breach in December 2023.

According to the lawsuit, the hacker leaked a list of over 1 million Jewish customers expressly in retribution for the Israel-Hamas war. The hacker was also more than happy to leak a list of 350,000 Chinese customers upon request from a user with the alias "Wuhan."These lists generated a huge amount of interest from hackers on the dark web from all over the world and were shared and reshared an untold number of times.

The disclosure of these lists threatens the safety of those customers, including from the Chinese government, which has a long history of tracking Chinese citizens.

According to the lawsuit,to this day, 23andMe has not informed the 7 million compromised customers that their personal genetic information was disclosed on the dark web, nor has it told its Jewish and Chinese customers that they were specifically targeted.

IF YOU ARE A VULNERABLE person whose personal genetic information identifies you as having Ashkenazi Jewish heritage or Chinese ancestry, and/or live in California, Illinois, Oregon, or Alaska, please contact us to review your rights and eligibility for compensation:

https://bit.ly/3sYm8Cn

ADDITIONAL BACKGROUND:

According to a recently filed class action complaint, on Oct. 1, 2023, a hacker using the alias "Golem" leaked the 23andMe data of 1 million Ashkenazi Jews on Breach Forums, calling it "the most valuable data you'll ever see."

"Golem's explicit targeting of Jewish 23andMe users is further conveyed by his use of the character 'Gollum' from The Lord of the Rings - a creature driven by greed with ugly and outsized facial features - as his profile picture."

A few hours later, a user with the alias "Wuhan" asked Golem if he had "Chinese accounts," according to the complaint. The next day, Golem leaked the data of 7 million users, saying in the post that the customer information included phenotype and health information, photos, and identification data.

Golem listed prices for the customer profiles at $1,000 for 100 profiles, $5,000 for 1,000 profiles, $20,000 for 10,000 profiles and $100,000 for 100,000 profiles.

Interest in the leaked Jewish and Chinese information was immediate and overwhelming following an Israeli bombing of a Palestinian hospital.

23andMe attempted to shift the blame to customers, telling them the breach was a result of customers using recycled login credentials from their accounts on other websites.Further, 23andMe then waited until December to report that 7 million customers were directly affected by the breach and didn't say anything about the data being sold on the dark web or that Jewish and Chinese customers were specifically targeted.

Levi Korsinsky, LLP is investigating whether affected customers are entitled to compensation. If you have received a notice about the data breach, you may be entitled to compensation. There is no cost or obligation to participate. Follow the link below to find out more:

https://bit.ly/3sYm8Cn

Levi & Korsinsky is a nationally recognized consumer advocacy law firm that has recovered hundreds of millions of dollars against large corporations. The firm's team of over 70 extraordinary attorneys and professionals have a winning track record going against the most powerful defense attorneys in the world and know how to maximize your compensation. The firm is a 100% contingency firm - we don't get paid unless you get paid! Please visit us as www.zlk.com for more information. Attorney Advertising. Prior results do not guarantee similar outcomes.

CONTACT:
Levi & Korsinsky, LLP
Joseph E. Levi, Esq.
Ed Korsinsky, Esq.
33 Whitehall Street, 17th Floor
New York, NY 10004
jlevi@levikorsinsky.com
Tel: (212) 363-7500
Fax: (212) 363-7171
https://zlk.com/

SOURCE: Levi & Korsinsky, LLP

View the original press release on accesswire.com

FAQ

What was the extent of the 23andMe data breach in December 2023?

The breach affected approximately 7 million users, exposing personal genetic information on the dark web.

Which groups were specifically targeted in the 23andMe data breach?

Jewish and Chinese customers were specifically targeted by the hackers.

What are the legal implications of the 23andMe data breach?

A class action lawsuit has been filed, accusing 23andMe of failing to inform affected users adequately.

How did 23andMe respond to the data breach?

23andMe initially blamed recycled login credentials and delayed the full disclosure until December 2023.

What are the safety risks associated with the 23andMe data breach?

The disclosure of genetic information poses significant risks, especially for Chinese citizens due to their government's tracking history.