23andMe Sees Backlash for Updating Service Terms Before Massive Data Breach

Genetic testing company 23andMe updated its terms of service the day before disclosing a data breach affecting 6.9 million users, reports say.

Stealing a credit card through a laptop concept for computer hacker, network security and electronic banking security
(Image credit: Getty Images)

Genetic testing company 23andMe is facing backlash following reports that it updated its customer terms of service the day before disclosing a data breach affecting 6.9 million users.

The changes are aimed at making it harder for customers to file mass arbitration claims against the company, according to a December 11 TechCrunch report. Several class action lawsuits have been filed so far, however, the report noted.

According to a 23andMe terms of service update on November 30, which TechCrunch published, the company said it updated its dispute resolution and arbitration section "to include procedures that will encourage a prompt resolution of any disputes and to streamline arbitration proceedings where multiple similar claims are filed. These updates will go into effect for customers 30 days from the date this email is received."

Subscribe to Kiplinger’s Personal Finance

Be a smarter, better informed investor.

Save up to 74%

Sign up for Kiplinger’s Free E-Newsletters

Profit and prosper with the best of expert advice on investing, taxes, retirement, personal finance and more - straight to your e-mail.

Profit and prosper with the best of expert advice - straight to your e-mail.

Sign up

A 23andMe spokesperson told Kiplinger that the company’s terms of service have contained an arbitration clause for more than 12 years and that the recent revisions provide more details and clarity around the arbitration process. He added that any customer who does not agree to the new arbitration provision can opt out within 30 days by emailing legal@23andme.com

23andMe disclosed the data breach along with details on how it happened and actions it was taking to notify users in a December 1 filing with the Securities and Exchange Commission.

As Kiplinger previously reported, the data breach involved ancestry information of 6.9 million users. A hacker was able gain access to roughly 5.5 million users of the site's DNA Relatives (DNAR) feature as well as an additional 1.4 million users who use its Family Tree profile feature.

After learning of a cyber threat on October 1, the company investigated and found that a hacker had gained access to about 14,000 accounts of users who used the same usernames and passwords that they used on other websites that were previously compromised or were otherwise available, according to the SEC filing.

Health-related information was also exposed for some of those 14,000 accounts, the 23andMe spokesperson said.

With access to the 14,000 accounts, the hacker was able obtain information within DNAR profiles. This includes display names, how recently the user logged into their account, their relationship labels and predicted relationships and the percentage of DNA shared with their DNA relative matches. It may also include ancestry reports and matching DNA segments, self-reported locations including city and zip code, ancestor birth locations and family names, profile pictures, birth years, a weblink to a family tree, and anything the user wrote in the “introduce yourself” section of their profiles. 

Information in the Family Tree profiles includes display names and relationship labels, and may include birth years and self-reported locations.

“We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers,” a 23andMe spokesperson told Kiplinger in an email on December 6. “The company will continue to invest in protecting our systems and data.”

What to do if you’ve been hacked

As required by law, 23andMe is in the process of notifying affected users, the company said in a December 1 blog post. 23andMe recommends following the blog for updates as its investigation continues.

The company also encourages its customers to take action to keep their accounts and passwords secure. It recommends taking these specific steps:

If you are or become a victim of a data breach, taking action within the first 48 hours can make a big difference in protecting your information, experts say.

Related Content

Joey Solitro

Joey Solitro is a freelance financial journalist at Kiplinger with more than a decade of experience. A longtime equity analyst, Joey has covered a range of industries for media outlets including The Motley Fool, Seeking Alpha, Market Realist, and TipRanks. Joey holds a bachelor's degree in business administration. 

With contributions from