Genetic and ancestry testing company 23andMe has reached a $30 million settlement after a class-action lawsuit was filed against the company over the previous year’s data breach. The agreement, which is in the process of being approved by a judge, comes after the company confirmed in October that “threat agents” used nearly 14,000 accounts, 0.1% of the company’s user base, to access ancestry data for 6.9 million connected profiles. The data that was leaked contained user account information, location, ancestry reports, DNA matches, family names, profile photos, dates of birth, among others.
Although 23andMe confirmed that the data breach existed last October, it did not reveal the magnitude of the problem until December. The following month, a class-action lawsuit was filed in San Francisco, accusing 23andMe of failing to adequately protect users’ personal information. 23andMe was also blamed for failing to notify some users that the data of people of Chinese or Ashkenazi Jewish descent appeared to be the target of the data breach.
Here’s What You Should Know about the 23andMe Breach and the Class Action Lawsuit
The class action lawsuit, filled in January 2024, accuses 23andMe of inadequately protecting user data and failing to timely notify affected parties, among other complaints. Terms of the agreement include payment to those affected by the security incident to cover expenses such as those incurred in combating identity theft, installing physical security systems or seeking mental health treatment; payments to those who live in states with genetic privacy laws; payments to those whose health information was leaked; and three years of access to the state-of-the-art “Privacy & Medical Shield + Genetic Monitoring” system, for all participating members of the agreement.
The company did not admit any wrongdoing as part of the agreement to pay $30 million to affected parties.As of Monday, a judge has yet to approve the agreement. If this is approved, more information will be released to affected parties who want to be part of the legal action.
“We have entered into a settlement agreement for a total cash payment of $30 million to resolve all United States claims related to the 2023 credential theft security incident,” 23andMe said in a statement. “We continue to believe this agreement is in the best interest of 23andMe customers and look forward to finalizing the agreement.” The company also said that about $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage.
23andMe Data Breach — The Class Action Lawsuit
Last October, 23andMe said on its website that an outside entity had stolen information from customers using its DNA relatives feature. The company temporarily disabled the service, saying it believed “threat actors” had gained access using a technique called credential theft, in which they use usernames and passwords that had already been exposed through breaches of data from other websites or that were otherwise available.
“We believe that threat actors were able to access certain accounts in cases where users recycled login credentials, meaning the usernames and passwords used on 23andMe.com were the same as those used on other websites that had been hacked before,” 23andMe posted on its website at the time.
In December, 23andMe shared the scope of the breach, stating that the ancestry data of 6.9 million people had been compromised, 5.5 million of which were users who opted to use the “Relatives” feature of 23andMe, which links people with common DNA. Another 1.4 million users also suffered access to their family tree information.
