23andMe agrees to $30M settlement over data breach that targeted Jewish and Chinese users
The data was first stolen by a hacker nicknamed “Golem,” after the Jewish mythical defender made of clay
The genetic data testing company 23andMe was the target of a hack aimed at users with Ashkenazi Jewish ancestry. (Wikimedia)
(JTA) — The genetic testing company 23andMe has agreed to pay $30 million to American plaintiffs to settle a lawsuit over a data breach last year that specifically targeted customers of Ashkenazi Jewish and Chinese ancestry.
The breach, which occurred last October, affected more than 6.9 million customers and included users’ personal details such as their location, name and birthdate, as well as some information about their family trees. That data was shared on BreachForums, an online forum used by cybercriminals.
According to court documents, the data breach was revealed Oct. 6 after a hacker going by the pseudonym “Golem,” a reference to the Jewish mythical defender made of clay, published a link to a database labeled “ashkenazi DNA Data of Celebrities.” According to the lawsuit, the hacker referred to the list as “the most valuable data you’ll ever see,” though most of the names were not famous.
In total, 999,998 individuals with Ashkenazi heritage were included on the list, which also contained data from another 100,000 people with Chinese ancestry. “Golem” also claimed to possess the data of 350,000 users with Chinese heritage and offered to sell data from both sets of information for a fee.
According to the complaint, 23andMe did not disclose the full extent of the breach to its customers until December, when the company stated that the hackers were able to access the large number of accounts by initially hacking a smaller number of accounts, and then gaining access to information from other accounts through the site’s “Family Tree” and “DNA Relatives” features.
Complainants alleged in court documents that in addition to their data being stolen, 23andMe misrepresented how secure its users’ data was. They alleged that the data “is now in the hands of cybercriminals and is readily available to download by anyone with access to the hacking forum.”
In a statement to the Jewish Telegraphic Agency, 23andMe said, “We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement.”
A message from our CEO & publisher Rachel Fishman Feddersen
I hope you appreciated this article. Before you go, I’d like to ask you to please support the Forward’s award-winning, nonprofit journalism during this critical time.
At a time when other newsrooms are closing or cutting back, the Forward has removed its paywall and invested additional resources to report on the ground from Israel and around the U.S. on the impact of the war, rising antisemitism and polarized discourse..
Readers like you make it all possible. Support our work by becoming a Forward Member and connect with our journalism and your community.
— Rachel Fishman Feddersen, Publisher and CEO
