Science and TechData Privacy and Cybersecurity

Actions

23andMe agrees to $30 million settlement after data breach affected nearly 7 million users

The company faced a class-action lawsuit claiming it failed to protect users' information and that it failed to notify affected accounts after the 2023 data breach.
A 23andMe test kit is shown.
Posted

Genetic testing company 23andMe has agreed to pay $30 million to settle a class-action lawsuit stemming from a 2023 data breach that exposed the personal information of 6.9 million customers.

The settlement, filed in federal court Thursday and pending a judge's approval, resolves all claims and causes of actions related to the breach while allowing 23andMe to deny any wrongdoing in the incident, including that it failed to properly protect users' personal information and that it didn't provide adequate notice to those involved in the breach.

These claims were among those brought forth in around 40 lawsuits launched against 23andMe nationwide after the company disclosed in October that a "threat actor" accessed millions of users' account information. Using customer login credentials that were the same on 23andMe as they were on previously compromised websites, the hackers accessed various forms of information, from health-related data to ancestry reports.

RELATED STORY | Drugmaker pays 23andMe $20 million for access to user DNA information

Though they initially breached about 14,000 — or 0.1% — of the company's user profiles with the compromised credentials, hackers were able to access millions more accounts through DNA Relatives, a feature that users can opt-in to utilize to be able to connect with others on the platform who share their DNA. This allowed them to see geographic and demographic information, photos and further ancestry data.

Data profiles from millions of users, notably those with Ashkenazi Jewish or Chinese heritage, started appearing on the dark web soon after the breach, with some compilations being offered for a price.

By December, 23andMe said it was in the legally required process of notifying affected customers and had required customers to reset their passwords and use a two-step verification process. At the time, it said it expected the breach to cost the company up to $2 million, but the next month, the class-action lawsuit was filed.

RELATED STORY | 23andMe pressed on whether data breach targeted Jewish, Chinese users

The company now says it agreed to settle after concluding further litigation would be "protracted, burdensome and expensive." Affected customers will be able to access cash payments from the $30 million within 10 days of the settlement's final approval. The class' counsel will administer how the funds are distributed to the plaintiffs and are responsible for notifying those involved of its payouts, the settlement document said.

In addition to the financial commitments, 23andMe has also agreed to enhance certain business practices to ensure another breach is avoided. This included automatic password checks against breach lists, mandated two-factor authentication, annual security awareness training for employees, enforced computer scans and cybersecurity audits and more.