23andMe is “shamelessly” blaming victims of a data breach impacting 6.9 million users, a lawyer representing victims pursuing a class-action lawsuit, Hassan Zavareei, told TechCrunch.

Zavareei shared a letter from 23andMe lawyers that urged users suing to “consider the futility of continuing to pursue an action in this case,” because their claims are allegedly meritless and “the information that was potentially accessed cannot be used for any harm.”

Last year, hackers accessed 14,000 accounts on 23andMe by using passwords that had been previously breached during security incidents on other websites. By using this tactic, known as credential stuffing, hackers could access the personal data of millions of 23andMe users who opted into a DNA Relatives feature, including genetic information like the percentage of DNA shared with compromised users.

While 23andMe claimed that the case had no merits, the courts have not yet weighed the many questions raised by users suing the company over alleged harms. In December, a US District Court in Illinois found that more than 100 users represented by Zavareei’s firm had “plausibly” demanded damages that exceeded $5 million. Those victims have alleged that 23andMe owed them compensation for the loss of the value of their personally identifiable information, costs of “remediating the impacts of the breach,” and emotional distress. Victims also want the court to order 23andMe to disgorge all profits retained by its “failed promise to safeguard their data.”

So far, 23andMe has been hit with more than 30 lawsuits filed in US federal and state courts, as well as courts in British Columbia and Ontario, Canada, as a result of the breach, suggesting that 23andMe could end up owing much more than $5 million. Due to the number of victims suing, there is an effort to consolidate these cases through multidistrict litigation to decrease the burden on courts.

Did 23andMe do enough to safeguard data?

In the class action filed by Zavareei’s firm, more than 100 victims have accused 23andMe of violating various state laws, including the California Privacy Rights Act (CPRA)—considered the US’s toughest consumer privacy law.

Under the CPRA, businesses that collect sensitive data must provide “reasonable security procedures,” but the law remains vague and does not stipulate what’s considered reasonable.

“A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure,” the law says.

This vagueness has seemingly left room for 23andMe to argue that users who “negligently recycled and failed to update their passwords” following “past security incidents” were to blame for the breach, and “therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA.”

“The incident was a result of users’ failure to safeguard their own account credentials, for which 23andMe bears no responsibility,” 23andMe’s letter said.

But Zavareei told TechCrunch that 23andMe’s “finger-pointing is nonsensical.” Zavareei offered a different legal interpretation of what should have been considered “reasonable security procedures” for a website collecting data so sensitive, it’s sometimes considered more valuable on the black market, like health and genetic data.

“23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing—especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform,” Zavareei said.

https://arstechnica.com/?p=1993685