As Genetic testing provider 23andMe faces multiple lawsuits for an October credential stuffing attack that led to the theft of customer data, the company has modified its Terms of Use to make it harder to sue the company.
In October, a threat actor attempted to sell 23andMe customer data and, after failing to do so, leaked the data for 1 million Ashkenazi Jews and 4.1 million people living in the United Kingdom.
23andMe told BleepingComputer that the data was obtained through credential stuffing attacks to breach customer accounts. Using these limited numbers of accounts, the threat actors used the ‘DNA Relatives‘ feature to scrape millions of individuals’ data.
In a recent update, 23andMe told BleepingComputer that a total of 6.9 million people were impacted by the breach — 5.5 million through the DNA Relatives feature and 1.4 million people through the Family Tree feature.
Terms of Use updated to hinder lawsuits
The breach has led to numerous lawsuits against the company, causing 23andMe to update its Terms of Use on November 30th to contain a provision stating that mandatory arbitration is required for all disputes, rather than jury trials or class action lawsuits.
“These terms of service contain a mandatory arbitration of disputes provision that requires the use of arbitration on an individual basis to resolve disputes in certain circumstances, rather than jury trials or class action lawsuits,” reads the updated Terms of Use.
Emails sent to customers about this change state that users have up to 30 days of receiving the email notification to notify 23andMe at customercare@23andme.com that they disagree with the new terms.
Those who send an email disputing the update will remain on the previous Terms of Service.
Nancy Kim, a Chicago-Kent College of Law professor, told Axios this change in the Terms of Use will likely not protect 23andMe from lawsuits as it will be difficult to verify that they gave reasonable notice to opt out of the new terms.