Duty to Protect: How the 23andMe Data Breach is Defining the Responsibilities of Data Collectors and Storers

By: Veronica Walsh

On October 6, 2023, 23andMe reported they had experienced numerous data breaches executed by hackers through credential stuffing between April and September of 2023.[1] Since the data breach, affected users have filed a class action lawsuit against 23andMe.[2] The lawsuit alleges the company recklessly maintained users’ personal information and “failed to use reasonable and adequate measures” to keep consumers’ data safe.[3]

The Santana v. 23andMe[4] complaint alleges theories of recovery based on negligence, breach of implied contract, invasion of privacy, and unjust enrichment.[5] In response, 23andMe released a statement stating none of their data protection systems were compromised, and the data breach resulted from a practice called credential stuffing.[6]Credential stuffing is a type of cyberattack executed by hackers who have collected compromised client login credentials from previous data breaches, illegal data sellers, or other automated scripts to gain unauthorized access to users’ accounts on different platforms.[7] Reused login usernames and passwords allowed the hackers to access user accounts through credential stuffing without alarming 23andMe’s information systems.[8] Since the data breach, the Santana plaintiffs assert their injury as the increased risk for identity theft, fraud, and continued exposure of personally identifiable information.[9] The Santana case raises two important questions related to data privacy. First, what must a business do to avoid legal liability due to credential stuffing attacks?[10] Second, is increased risk of fraud or identity theft a valid injury-in-fact? [11]

Credential stuffing differs from brute force attacks on a webpage’s information systems.[12] Credential stuffing involves a hacker using a user’s compromised login credentials from a previous breach or cyberattack on a different webpage to attempt to access their user accounts on the non-infiltrated webpage.[13] Because Credential stuffing uses legitimate login credentials, these attacks have a higher success rate than other brute-force hacking methods.[14] Users can avoid credential stuffing attacks by using different passwords and user names for each of their accounts to avoid credential stuffing.[15]

A negligence claim based on credential stuffing requires the plaintiff to demonstrate an injury-in-fact.[16] In I.C. v. Zynga[17] plaintiffs sued the defendant-gaming website after hackers accessed the plaintiffs’ user accounts through a credential stuffing attack.[18] The Zynga plaintiffs allegedly suffered: “(i) a ‘present, increased risk’ of identity theft; (ii) time spent mitigating said risk; (iii) emotional distress; (iv) diminution in value of their [personally identifiable information]; and (v) loss of privacy.”[19] However, the Zynga Court held that the class action plaintiffs failed to allege a viable injury-in-fact in their negligence claim against the online gaming website.[20] The Court found the plaintiffs’ arguments unconvincing because the plaintiffs were not victims of identity fraud yet.[21] Many courts are reluctant to find Article III standing for plaintiffs with claims related to data breaches without actual identity theft.[22]

However, some circuit courts have recognized an injury-in-fact when plaintiffs’ personally identifiable information is made available for sale on the Dark Web following a data breach.[23] This is because publishing plaintiffs’ personally identifiable information on the Dark Web puts the plaintiffs at an increased risk of falling victim to identity theft or fraud at any point.[24] Accordingly, the information made available on the Dark Web is likely prone for misuse.[25]

Other circuit courts take a narrower approach.[26] The Second, Eighth, and Eleventh Circuits have held that plaintiffs do not have standing absent a showing of actual theft or fraud.[27] These circuits refuse to recognize standing even when plaintiffs are at an increased risk of theft or fraud or have undertaken extensive mitigation measures.[28]

The Santana plaintiffs must demonstrate an injury-in-fact related to the 23andMe data breach.[29] While Santana may not involve actual identity theft, Santana differs from the Zynga decision because Santana concerns users’ health information. [30] Health information is arguably ripe for misuse if leaked.[31] In Santana, the Court will be tasked with weighing Article III standing concerns with the vulnerability of private health information.[32]

The outcome of the Santana case will also determine what steps businesses operating through online user accounts should take to avoid liability related to credential stuffing.[33] 23andMe’s information systems were not alerted to the data breach.[34] The Securities and Exchange Commission has developed a series of recommended security measures for safeguarding user accounts from credential stuffing attacks.[35] Many of the SEC’s recommendations include additional software, such as multi-factor authentication, CAPTCHA, and other controls.[36]As more data breach cases make their way into the courts, whether businesses will be required to implement more robust security procedures to protect users personal information will become clearer.

[1] Rebecca Carballo et al., 23andMe Breach Targeted Jewish and Chinese Customers, Lawsuit Says, N.Y. Times (Jan. 26, 2024), https://www.nytimes.com/2024/01/26/business/23andme-hack-data.html#.

[2] Christopher Brown, 23andMe Sued Over Hack of Genetic Data Affecting Thousands, Bloomberg L. (Oct. 9, 2023), https://www.bloomberglaw.com/bloomberglawnews/litigation/XDEKULE0000000?bna_news_filter=litigation#jcite.

[3] Id.

[4] No. 3:23-cv-05147 (N.D. Cal. Oct. 9, 2023).

[5] See Class Action Complaint at 33, 39-40, 42, 44, Santana et al. v. 23andMe, Inc., No. 3:23-cv-05147 (N.D. Cal. Oct. 9, 2023) (listing causes of action).

[6] Carballo et al., supra note 1; see Addressing Data Security Concerns, 23andMe (Dec. 5, 2023, 2:45 PM), https://blog.23andme.com/articles/addressing-data-security-concerns.

[7] Marc E. Elovitz et al., Cybersecurity Update for Private Fund Managers: lessons from recent SEC enforcement actions, 27 Westlaw J. Sec. Litig. & Regul., no. 13, 2021, at 1, n. 6.

[8] Carballo et al., supra note 1; see Brown, supra note 1 (“A company spokesperson then told Bloomberg News that the company found no indication of a breach in its information systems.”).

[9] See Class Action Complaint, supra note 5, at 38 (failing to state that the data breach resulted in actual theft or fraud).

[10] See id. (stating that 23andMe is responsible for not safeguarding user accounts from credential stuffing attacks).

[11] See id. at 3 (connecting Data Breach with injury in fact that 23andMe is liable to remedy).

[12] U.S. Health & Hum. Serv.’s, Health Sector Cybersecurity Coordination Ctr., No. 201905091000, Credential Stuffing 4 (2019).

[13] Id.

[14] Id.

[15] Id. at 20.

[16] See McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 299-300 (2d Cir. 2021) (listing an injury-in-fact as the first step to establish standing under Article III of the Constitution).

[17] 600 F. Supp. 3d 1034 (N.D. Cal. 2022).

[18] Id. at 1047.

[19] Id.

[20] Id. at 1054.

[21] See id. at 1053-54 (ruling that plaintiffs did not find a certainly impending risk of harm due to a lack of concrete proof of identity theft).

[22] See Caroline Ribet, Don’t Just Do Something, Stand There: What Criminal Law Teaches Us About Article III Standing in Data Breach Cases, 172 U. Pa. L. Rev. 257, 264 (2023) (recognizing the Second, Eight, and Eleventh Circuits as not preferring a direct showing of theft or fraud to qualify as sufficient injury for standing).

[23] McMorris, 995 F.3d at 303; see Ahmed Ghappour, Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web, 69 Stan. L. Rev. 1075, 1090 (2017) (“Not surprisingly, criminals and other malicious actors … use the dark web to carry out technology-driven crimes, such as computer hacking, identity theft, credit card fraud, and intellectual property theft.”).

[24] See McMorris, 995 F.3d at 303 (calling this situation an “increased-risk” theory of injury in fact); Cooper v. Bonobos, 21-CV-854(JMF), 2022 WL 170622, at *4 (S.D.N.Y. Jan. 19, 2022) (recognizing a successful claim for “a substantial risk of identify theft or fraud” is enough for standing).

[25] Cooper, 2022 WL 170622, *3.

[26] Ribet, supra note 22, at 266.

[27] Id.

[28] Id. at 266—69.

[29] McMorris, 995 F.3d at 302.

[30] Compare id. at 1 (discussing 23andMe’s role in keeping private health data safe on their platform), with I.C. v. Zynga, Inc., 600 F. Supp. 3d 1034, 1038 (N.D. Cal. 2022) (highlighting Zynga held personal identifying information including first names, last names, and credit card details).

[31] Nicole B. Perkins, Spreading a Digital Disease: The Circuit Split on Data Breaches and its Effects on the Health Sector, 20 Ind. Health L. Rev. 435, 436 (2023) (“Personal Health Information (“PHI”) is more valuable on the black market than credit card credentials or regular Personally Identifiable Information.”).

[32] See Complaint at 5, Santana et al. v. 23andMe, Inc., No. 3:23-cv-05147 (N.D. Cal. Oct. 9, 2023).

[33] See generally id. (asserting that 23andMe failed to implement appropriate security measures to safeguard users’ personally identifiable information).

[34] Addressing Data Security Concerns, 23andMe (Dec. 5, 2023, 2:45 PM), https://blog.23andme.com/articles/addressing-data-security-concerns.

[35] Securities and Exchange Commission, Office of Compliance Inspections and Examinations, Cybersecurity: Safeguarding Client Accounts Against Credential Compromise 2—4 (2020).

[36] Id.