A class action lawsuit filed in Chicago has become one of the latest local class actions amid many cases nationwide accusing genetic screening company 23&Me of not doing enough to protect customer data amid a data breach.
The company disclosed the breach to customers in October, according to the lawsuit filed in Cook County Circuit Court.
"Hackers accessed profile information from its customers’ accounts—including information on their DNA ancestry and relatives derived from
genetic testing and other personal identifying information," the lawsuit states.
The company suspects the hackers used a technique called "credential stuffing," the suit said. That involves "trying combinations of usernames or emails and corresponding passwords that are already public from other data breaches to break into users’ accounts on a large scale and then harvesting data from those accounts," according to the suit.
Credential stuffing is a well-known tactic used by hackers, the lawsuit states.
" Thus, 23andMe had actual and/or constructive notice of the need to implement measures to protect against this type of attack," the suit says. "There are multiple, widely available processes and tools available to combat credential stuffing, and they are commonly known and widely employed in the cybersecurity industry. But 23andMe failed to implement adequate safeguards."
The lawsuit seeks damages and attorney fees.
The plaintiffs are represented in this case by attorneys Hassan A. Zavareei, Glenn E. Chappell, David W. Lawler and Leora N. Friedman, of Tycko & Zavareei LLP, of