2023-10-10 23andMe Holding Co. Cybersecurity Incident

Page last updated on April 11, 2024

23andMe Holding Co. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-10-10 16:17:56 EDT.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date:
Disclosure Date: 2023-10-10
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2023-10-10

23andMe Holding Co. filed an 8-K at 2023-10-10 16:17:56 EDT
Accession Number: 0001193125-23-253488

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 7.01

Regulation FD Disclosure 23andMe Holding Co. (“23andMe,” “we,” “us,” and “our”) recently learned that certain profile information, which a customer creates and chooses to share with their genetic relatives in the DNA Relatives feature, was accessed from individual 23andMe.com accounts without the account users’ authorization (the “incident”). Based on 23andMe’s investigation as of the date of this Current Report on Form 8-K, we do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks. While our investigation is ongoing, as of the date of this Current Report on Form 8-K, we believe the threat actor was able to access certain accounts in instances usernames and passwords that were used on 23andMe.com were the same as those used on other websites that had been previously compromised or otherwise available. 23andMe undertook immediate action in accordance with its incident response plan, including taking affirmative security measures to mitigate any potential impact of the incident, working to validate whether data that was accessed was legitimate data from the Website, and determining the full scope of data accessed by unauthorized individuals. 23andMe has retained third-party forensic experts to assist in an investigation of the cause and scope of the incident, and in mitigating and remediating the impact of the incident. 23andMe is fully cooperating with federal law enforcement in relation to this incident. 23andMe is currently working to confirm the scope of data accessed, and is investigating the nature of the personal data in question and any related legal obligations. 23andMe’s investigation into these matters is preliminary and on going, and 23andMe is still discerning the implications of the incident. During the course of the investigation, 23andMe may become aware of new or different information or information that differs from that contained in this Current Report on Form 8-K. At this time, 23andMe is unable to predict the costs and magnitude of those consequences. Forward-Looking Statements This Current Report on Form 8-K contains “forward-looking” statements, which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding 23andMe’s understanding of the cause of the incident, the scope of the incident, the persons or organizations that may be responsible for the incident, the status and results of the investigations to data, and the potential impact of the incident on 23andMe’s business operations and financial results and condition. These forward-looking statements are based on management’s beliefs and assumptions and on information currently available to management, which may change as investigations proceed and new or different information is discovered. Forward-looking statements include all statements that are not historical facts and may be identified by terms such as “aim,” “anticipate,” “believe,” “can,” “could,” “seek,” “should,” “feel,” “expect,” “will,” “would,” “plan,” “intend,” “estimate,” “continue,” “may,” or similar expressions and the negatives of those terms. Forward-looking statements involve known and unknown risks, uncertainties and other factors that may cause actual results, performance or achievements to be materially different from any future results, performance or achievements expressed or implied by the forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to the discovery of new or different information relating to the incident and its mitigation, numerous financial, legal, reputational and other risks to 23andMe related to the incident, including risks that the incident may result in the loss, compromise or corruption of data, loss of business, reputational damage adversely affecting customer relationships and investor confidence, U.S. regulatory investigations and enforcement actions, litigation, indemnity obligations, damages for contractual breach, penalties for violation of applicable laws or regulations, significant costs for remediation and the incurrence of other liabilities; and the possibility that 23andMe’s insurance coverage will cover only certain security and privacy damages and claim expenses may not be available or sufficient to compensate for any and all liabilities that 23andMe may incur related to the incident. All information provided in this Current Report on Form 8-K is as of the date hereof and 23andMe’s undertakes no duty to update this information except as required by applicable law. The information in this report furnished pursuant to Item 7.01 shall not be deemed to be “filed” for the purposes of Section 18 of the Securities Exchange Act of 1934, as amended, nor shall it be incorporated by reference in any filing made by the Company pursuant to the Securities Act of 1933, as amended, other than to the extent that such filing incorporates by reference any or all of such information by express reference thereto.

8-K/A filed on 2023-12-01

23andMe Holding Co. filed an 8-K/A at 2023-12-01 16:06:04 EST
Accession Number: 0001193125-23-287449

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 7.01

Regulation FD Disclosure On October 10, 2023, 23andMe Holding Co. (the “Company,” “23andMe,” “we,” “us,” and “our”) filed a Current Report on Form 8-K (the “Original Form 8-K”) reporting that it learned that certain user profile information, which a 23andMe user (each, a “user” and collectively, the “users”) creates and chooses to share with their genetic relatives in 23andMe’s DNA Relatives feature, was accessed and downloaded from individual 23andMe.com (the “23andMe website”) user accounts (the “incident”) by a threat actor (the “threat actor”). The Company is filing this Amendment No. 1 to the Original Form 8-K (this “Amendment”) to provide supplemental information regarding the incident. Except as expressly set forth herein, this Amendment does not amend the Original Form 8-K in any way and does not modify or update any other disclosures contained in the Original Form 8-K. This Amendment supplements the Original Form 8-K and should be read in conjunction with the Original Form 8-K. On October 1, 2023, a threat actor posted online a claim to have 23andMe users’ profile information. Upon learning of the incident, 23andMe immediately commenced an investigation and engaged third-party incident response experts to assist in determining the extent of any unauthorized activity. Based on its investigation, 23andMe has determined that the threat actor was able to access a very small percentage (0.1%) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available (the “Credential Stuffed Accounts”). The information accessed by the threat actor in the Credential Stuffed Accounts varied by user account, and generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics. Using this access to the Credential Stuffed Accounts, the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online. We are working to remove this information from the public domain. As of the filing date of this Amendment, the Company believes that the threat actor activity is contained. 23andMe is in the process of providing notification to users impacted by the incident as required by applicable law. While no company can ever completely eliminate the risk of a cyber attack, the Company has taken certain steps to further protect its users’ data. For example, on October 10, 2023, 23andMe required all users to reset their passwords, and on November 6, 2023, 23andMe required all new and existing users to login into the 23andMe website using two-step verification going forward. As of the filing date of this Amendment, the Company expects to incur between $1 million and $2 million in onetime expenses related to the incident during its fiscal third quarter ending December 31, 2023, primarily consisting of technology consulting services, legal fees, and expenses of other third-party advisors. The Company believes that such expenses and the direct or indirect business impacts of the incident could negatively affect its financial results. As of the filing date of this Amendment, the Company is not able to predict whether such direct or indirect impacts of the incident could have a material effect on its financial condition and/or results of operations for the fiscal year ending March 31, 2024. As of the filing date of this Amendment and as a result of the incident, multiple class action claims have been filed against the Company in federal and state court in California and state court in Illinois, as well as in British Columbia and Ontario, Canada, which the Company is defending. These cases are at an early stage, and the Company cannot predict the outcome. The Company is also assessing its response to notices filed by consumers under the California Consumer Privacy Act and to inquiries from various governmental officials and agencies. The full scope of the costs and related impacts of this incident and related litigation, including, without limitation, the availability of insurance to offset some of these costs, cannot be estimated at this time. While the Company believes the investigation into these matters is complete, the Company may become aware of new or different information or information that differs from that contained in this Current Report on Form 8-K. All information provided in this Amendment is as of the date hereof and 23andMe’s undertakes no duty to update this information except as required by applicable law.
Forward-Looking Statements This Amendment contains “forward-looking” statements, which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding 23andMe’s understanding of the cause of the incident, the scope of the incident, the persons or organizations that may be responsible for the incident, the status and results of the investigations to data, and the potential impact of the incident on 23andMe’s business operations and financial results and condition. These forward-looking statements are based on management’s beliefs and assumptions and on information currently available to management, which may change as investigations proceed and new or different information is discovered. Forward-looking statements include all statements that are not historical facts and may be identified by terms such as “aim,” “anticipate,” “believe,” “can,” “could,” “seek,” “should,” “feel,” “expect,” “will,” “would,” “plan,” “intend,” “estimate,” “continue,” “may,” or similar expressions and the negatives of those terms. Forward-looking statements involve known and unknown risks, uncertainties and other factors that may cause actual results, performance, or achievements to be materially different from any future results, performance or achievements expressed or implied by the forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to the discovery of new or different information relating to the incident and its mitigation, numerous financial, legal, reputational, and other risks to 23andMe related to the incident, including risks that the incident may result in the loss, compromise, or corruption of data, loss of business, reputational damage adversely affecting user relationships and investor confidence, U.S. regulatory investigations and enforcement actions, litigation, indemnity obligations, damages for contractual breach, penalties for violation of applicable laws or regulations, significant costs for remediation and the incurrence of other liabilities, and the possibility that 23andMe’s insurance coverage will cover only certain security and privacy damages and claim expenses may not be available or sufficient to compensate for any and all liabilities that 23andMe may incur related to the incident. This Amendment includes several website addresses. These website addresses are intended to provide inactive, textual references only. The information on these websites is not part of this Amendment. The information in this report furnished pursuant to Item 7.01 shall not be deemed to be “filed” for the purposes of Section 18 of the Securities Exchange Act of 1934, as amended, nor shall it be incorporated by reference in any filing made by the Company pursuant to the Securities Act of 1933, as amended, other than to the extent that such filing incorporates by reference any or all of such information by express reference thereto.

Company Information