23andMe blamed the poor password practices of some of its users for the data leak that affected nearly 7 million of its users in October.
Class action lawsuits against 23andMe that resulted from the cybersecurity incident allege the company violated state privacy laws including the California Privacy Rights Act (CPRA), the California Confidentiality of Medical Information Act (CMIA) and the Illinois Genetic Information Privacy Act.
A lawyer representing 23andMe denied the allegations in a Dec. 11 letter to lawyers representing the plaintiffs in one of the lawsuits. The letter, first published by TechCrunch on Jan. 3 asserted that users — not the company — are responsible for the unauthorized access.
“[…] users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breachers, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” the letter stated.
You can read more in an article by Laura French published in the scmagazine.com web site at: http://tinyurl.com/mr2x8nkm