After a data breach compromised the DNA data of about 6.9 million users of genetic testing company 23andMe last fall, the company now appears to have shifted the blame for the breach towards the customers who were affected, according to an alleged letter from the company’s lawyers that was sent to victims suing the company for the breach.

In the letter, lawyers for the company claimed that the data breach is a result of customers not updating their passwords for their user accounts on the DNA testing company’s website. 

Related: 23andMe makes a controversial move that customers won’t like

Company shifts data breach blame

“23andMe believes that unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials — that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” reads the letter. “Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA.”

The letter also states that “if a violation occurred, it has been remediated.” It also argues that 23andMe had given customers the option to set up 2-step verification for their accounts since 2019, and had been requiring customers to use that “added layer of protection” since Nov. 6, 2023.

The company has been covering its bases in the past few months since news of the data breach broke in October. After 23andMe initially revealed that the data breach affected roughly 14,000 customers in a Dec. 1 court filing to the U.S. Securities and Exchange Commission, it was later confirmed by the company that the breach actually affected about 6.9 million users.

The DNA data that was compromised included the matched DNA relatives of users and the percentage of DNA that users shared with those relatives. The hackers also accessed users’ self-reported location, family names, birth years, etc.

23andMe updates terms of service

It was later reported that days before 23andMe confirmed the full magnitude of the data breach, the company sent an email to users on Nov. 30 saying that it updated its terms of service. The company informed users in the email that it revised the “Dispute Resolution and Arbitration” section in the contract without detailing what those changes were.

It appeared that customers were revoked the ability to take 23andMe to court to sue for damages if they weren’t able to settle on a negotiation after arbitration. It also appeared that the company further highlighted the language in the contract that informs customers that they may not file a class action lawsuit by putting the text in all caps and shortening it for clarity.

The company confirmed to TheStreet last month that one of the revisions to the “Dispute Resolution and Arbitration” section of the contract included extending the informal resolution period to 60 days.

23andMe is reportedly facing more than 30 lawsuits from customers who were affected by the data breach last year.

23andMe did not immediately respond to TheStreet’s request for comment. 

Is finding your next trade taking forever? Let our Hedge fund managers help you. Get direct access today with a Real Money Pro membership