Published on: September 17, 2024
23andMe has reached a $30 million settlement in a class-action lawsuit following a 2023 data breach that exposed the personal information of 6.9 million customers. The company said in a statement that it decided to settle after determining that further litigation would be “protracted, burdensome, and expensive.”
The proposed settlement offers cash payments to customers whose data was compromised and enrollment in a Privacy & Medical Shield + Genetic Monitoring program for 3 years.
Affected customers can expect cash payments from the $30 million settlement within 10 days of final approval. According to the settlement document, the class’s counsel will oversee the distribution of funds to the plaintiffs and will be responsible for notifying those involved about the payouts.
The settlement, which awaits judicial approval, permits 23andMe to deny any wrongdoing, including allegations of insufficient protection of users’ personal information and inadequate notification to those affected by the breach.
These claims were part of approximately 40 lawsuits filed against the company across the US after 23andMe revealed that a “threat actor” had accessed the account information of millions of users.
The hackers exploited customer login credentials that were identical to those used on previously compromised websites, gaining access to a range of information, including health data and ancestry reports.
While the hackers initially compromised around 14,000 user profiles, which is about 0.1% of the total accounts, the DNA Relatives opt-in feature allowed them to access a broader range of information. This feature connects users with others who share their DNA, which means hackers were also able to view geographic and demographic details, photos, and additional ancestry data.
By December, 23andMe announced it was in the legally mandated process of notifying affected customers and had required them to reset their passwords and implement two-step verification.
Alongside its financial obligations, 23andMe has committed to improving several business practices to prevent future breaches. These improvements include automatic password checks against known breach lists, mandatory two-factor authentication, annual security awareness training for employees, routine computer scans, and cybersecurity audits, among other initiatives.