23andMe settles class-action breach lawsuit for $30 million

Also: Apple to end NSO Group lawsuit; Malicious Python dev job offers; Dark web kingpins busted; and more

Infosec In Brief Genetic testing outfit 23andMe has settled a proposed class action case related to a 2023 data breach for $30 million.

Documents [PDF] filed in a San Francisco federal court last Thursday indicate 23andMe will fork over the pot of money to settle claims from any of the 6.4 million US citizens (per court documents) whose data was stolen during the incident. The settlement includes an agreement to provide three years of privacy, medical and genetic monitoring.

For those that may have forgotten, 23andMe, which offers genetic testing services, suffered from a massive data breach in 2023 that saw millions of its customers' data stolen and put up for sale on the dark web.

The individual behind the breach specifically targeted Ashkenazi Jewish and Chinese 23andMe customers. The attacker had five months of unfettered access to the service's systems, which went undetected until someone mentioned 23andMe data being for sale in a Reddit post.

23andMe described the terms of the settlement as "fair, reasonable and adequate" in court documents, which reveal that 23andMe needed to settle the matter due to finding itself "in an uncertain financial situation" due to the continued litigation.

Fair enough – 23andMe shares have never been valuable, but its market capitalization has plummeted since the incident became public knowledge. In its most recent earnings report early last month, 23andMe posted considerable losses – with revenue down 34 percent compared to the same time last year, $69 million in quarterly losses, and more than 20 percent less cash on hand than at the end of the previous quarter with only $170 million on the balance sheets.

In other words, this isn't just some petty settlement – it'll take a bite out of 23andMe's reserves.

Or at least it would have, were insurance not covering it. Speaking to Reuters, 23andMe said it expects around $25 million of its settlement costs to be covered.

Critical vulnerabilities of the week: Git patchin'!

Last week’s Patch Tuesday wasn’t the last word in recently found critical flaws. We have a few items to share – starting with some time-to-patch issues from GitLab.

The SaaSy devops firm released updates last week to deal with 17 security patches, including one at CVSS 9.9 tracked at CVE-2024-6678. That little nasty allows an attacker to trigger a pipeline as an arbitrary user in certain circumstances in multiple versions of GitLab CE/EE.

Elsewhere:

  • CVSS 9.3 – CVE-2024-40766: An improper access control vulnerability in SonicWall SonicOS that can be exploited to crash the appliance is being exploited in the wild.
  • CVSS 8.4 – CVE-2016-3714: Remember the ImageMagick bug of 2016? Yep, still around, and still being abused.

Apple drops suit against NSO Group

Worried the case might ultimately do more harm than good, Apple has moved to drop its lawsuit against Pegasus spyware maker NSO Group.

Court documents filed by Apple last Friday indicate the fruit cart is worried that the discovery process against Israel-based NSO Group would see sensitive Apple data reach in NSO and companies like it – enabling the creation of additional spyware tools used by nation states.

Along with concern for the security of its own software, Apple also claimed it didn't have confidence in NSO's honesty when producing documents, citing an article in The Guardian that reported Israeli officials had been used to take sensitive files from NSO headquarters to keep information away from Americans.

Apple argued in its filing that, while it didn't know if the story was true, it raised concerns about whether the whole matter would just be a waste of time and money.

IRS IT supervisor pleads guilty to extortion, accepting bribes

Talk about a bad engineering team leader. Satbir Thukral, a now-former computer engineer and IT project supervisor at the US Internal Revenue Service (IRS), pled guilty last week to accepting bribes for putting underqualified people in jobs, and extorting an IRS contractor.

Thukral reportedly began demanding cash payments from a business on an IRS contract he supervised nearly as soon as they were onboarded, ultimately extorting more than $120,000 from the firm by the end of 2020. When the biz said it wouldn't pay anymore, Thukral reportedly threatened the owner with "economic consequences" if he didn't comply.

Separately, Thukral also got caught taking bribes totaling $2,800 in cash from one contractor for "facilitating the continued employment of two underqualified individuals at two other IRS subcontractors," according to the Department of Justice.

Thukral has pled guilty to acceptance of bribes by a public official, and now faces a maximum penalty of 15 years in prison.

Beware that job offer, Pythonista: It could be a malware campaign

Malware campaigns that mimic skills tests for developers are nothing new, but this one targeting Python developers is.

Reported by researchers at ReversingLabs, the malware uses a similar tactic to previously spotted campaigns that try to trick developers into downloading malicious packages masquerading as skills tests. After the victim compiles the code and solves whatever problems the packages contain, their system is infected.

Like previous campaigns of the same type that mostly targeted JavaScript developers, ReversingLabs suspects this one is linked to North Korea.

As we've reported, North Korean threat actors have been behind several campaigns using fake job offers to infect systems with backdoors and infostealers. In previous campaigns it's been fake jobs at Oracle, Disney or Amazon used as lures – this time it appears the attackers are posing as financial services firms.

So, if you get a job offer from Capital One (one example cited by ReversingLabs) that seemed too good to be true and wanted you to download a file, maybe try verifying the legitimacy of the offer before running anything.

Dark web kingpins indicted

A pair of Russian and Kazakh nationals have been arrested and charged in connection to running dark web markets, forums and training facilities for criminals.

Kazakhstani Alex Khodyrev and Russian Pavel Kublitskii were arrested in Miami and charged with conspiracy to commit access device fraud and conspiracy to commit wire fraud last week, elated to a site they ran for a decade called wwh.club.ws.

WWH Club users could buy and sell stolen personal information, discuss best practices for conducting various types of illegal activity, and even take courses on how to commit fraud and other crimes. Khodyrev, Kublitskii and others involved in the site "profited through membership fees, tuition fees, and advertising revenue," the DoJ alleged.

While not specific to any earnings the pair may have made, the DoJ did note it was seizing the pair's Mercedes-Benz and Cadillac vehicles, which officials said are allegedly traceable to proceeds of the offenses. ®

More about

TIP US OFF

Send us news


Other stories you might like