Canadian customers are suing 23andMe Holding Co. (NASDAQ: ME) in B.C. over an alleged data breach that includes DNA information.
The province’s Supreme Court approved a B.C.-based representative plaintiff on Dec. 19 in a class action suit on behalf of all Canadian customers affected by the alleged data breach.
The proposed lawsuit has not been certified.
The data breach took place in October 2023, resulting in “highly sensitive” personal information of millions of 23andMe customers being stolen or compromised, according to the notice of civil claim.
The California-based company is best known for its consumer-oriented genetic testing.
Information alleged to have been breached included customers’ ethnicities, religious backgrounds, ancestry roots and genetics. The defendant claimed that about 5.1 million customers’ information was made available for sale on the Dark Web.
“The defendants failed to conduct their data retention and protection practices appropriate to the sensitivity of the customer information … or the security of the risk of cyberattacks,” stated the claim.
“The plaintiff and the putative class members have incurred and will continue to incur harms, damages and losses as a result of the defendants’ conduct.”
The proposed class proceeding seeks to recover compensation.
Sage Nematollahi, the plaintiff’s lawyer, said thousands of Canadians who claimed to be affected by the incident have reached out to his firm.
“People keep contacting us … the group is very, very large,” said Nematollahi.
23andMe confirmed on Oct. 6 that certain customers’ profile information, which was shared through the company’s DNA Relatives feature, was obtained by others without the users’ authorization.
The company said in a blog post it believed certain accounts were accessed through users' recycled login credentials for 23andMe.com, which were the same as those used on other websites that have been previously hacked.
“We do not have any indication at this time that there has been a data security incident within our systems or that 23andMe was the source of the account credentials used in these attacks,” 23andMe said in the October statement and later reiterated it in a written statement to the BIV.