December 7, 2023 at 04:43PM
23andMe faced a data breach from a credential stuffing attack, affecting 6.9 million people. Post-lawsuits, the company updated its Terms of Use to mandate arbitration over jury trials or class actions. Customers have 30 days to opt-out of the new terms, but the effectiveness of this change is questionable.
Meeting Takeaways:
1. 23andMe was the victim of a credential stuffing attack in October, resulting in customer data theft.
2. The incident involved an attempted sale and subsequent leak of 1 million Ashkenazi Jewish customer data and 4.1 million UK residents’ data.
3. The breach affected a total of 6.9 million people, with data obtained via the ‘DNA Relatives’ (5.5 million people) and ‘Family Tree’ (1.4 million people) features.
4. In response to several lawsuits, 23andMe updated their Terms of Use on November 30th to include a mandatory arbitration clause, which aims to limit the ability to sue the company through jury trials or class action lawsuits.
5. Customers received email notifications about the change and have 30 days from receiving this notification to disagree with the new terms by emailing [email protected].
6. Those who opt out via email will be covered under the previous Terms of Service.
7. A legal expert suggests that 23andMe’s updated Terms of Use may not shield the company from lawsuits due to potential challenges in proving that they provided reasonable notice for customers to opt out.