As Genetic testing provider 23andMe faces multiple lawsuits for an October credential stuffing attack that led to the theft of customer data, the company has modified its Terms of Use to make it harder to sue the company.
In October, a threat actor attempted to sell 23andMe customer data and, after failing to do so, leaked the data for 1 million Ashkenazi Jews and 4.1 million people living in the United Kingdom.
Source: BleepingComputer
23andMe told BleepingComputer that the data was obtained through credential stuffing attacks to breach customer accounts. Using these limited numbers of accounts, the threat actors used the 'DNA Relatives' feature to scrape millions of individuals' data.
In a recent update, 23andMe told BleepingComputer that a total of 6.9 million people were impacted by the breach — 5.5 million through the DNA Relatives feature and 1.4 million people through the Family Tree feature.
Terms of Use updated to prevent lawsuits
The breach has led to numerous lawsuits against the company, causing 23andMe to update its Terms of Use on November 30th to contain provisions that make it more difficult to take part in class action lawsuits against the company.
These provisions increase the initial dispute period from 30 to 60 days, requiring customers to first have a telephone or videoconference with 23andMe to try and resolve the dispute.
The new Terms also contain stronger language to prevent a party from bringing a class action lawsuit against 23andMe.
"To the fullest extent allowed by applicable law, you and we agree that each party may bring disputes against the other party only in an individual capacity, and not as a class action or collective action or class arbitration," reads the updated Terms of Use.
23andMe claims that these changes were added to make the dispute process more efficient and understandable to customers.
"The recent revisions to our terms of service provide more details and clarity around the arbitration process," a 23andMe spokesperson told BleepingComputer.
"For example, the informal resolution period has been extended to 60 days, which makes that process more efficient for customers."
Emails sent to customers about this change state that users have up to 30 days of receiving the email notification to notify 23andMe at legal@23andme.com that they disagree with the new terms.
Those who send an email disputing the update will remain on the previous Terms of Service.
Nancy Kim, a Chicago-Kent College of Law professor, told Axios this change in the Terms of Use will likely not protect 23andMe from lawsuits as it will be difficult to prove that they gave reasonable notice to opt out of the new terms.
Update 12/9/23: Added statement from 23andMe and clarified the changes made to the Terms of Use.
Comments
ZeroYourHero - 5 months ago
Do NOT trust that company! They sell your DNA to anyone who pays enough. That includes your insurance companies. Think about that if you haven't.