Image Credits - businessinsurance
Advertisement
23andMe has agreed to pay $30 million to resolve a proposed class action lawsuit over a data breach that compromised the personal information of 6.9 million users. The preliminary settlement agreement outlines that the DNA testing company will also implement annual computer scans and cybersecurity audits for the next three years. In addition, a dedicated website will be created to inform eligible individuals about the settlement and facilitate their payments. Affected users will receive a link to delete their data from the service and have the option to enroll in a three-year Privacy & Medical Shield + Genetic Monitoring program at no cost. The court’s final approval is still pending.
The breach, revealed in October 2023, exposed DNA Relatives profile data for about 5.5 million users and Family Tree profile information for 1.4 million participants. The company admitted that hackers had accessed its systems from late April 2023 until September of the same year using credential stuffing—a method involving the use of previously compromised login details to infiltrate accounts.
The breach led to several class action lawsuits against 23andMe, including allegations that the company neglected to inform individuals specifically targeted because of their Chinese and Ashkenazi Jewish heritage. In the settlement, 23andMe maintains that it “denies the claims and allegations set forth in the Complaint” and asserts it did not fail in protecting its users’ personal information.
Financially, 23andMe is in a precarious position. In the 2024 fiscal year, the company’s revenue decreased by 27 percent, dropping to $220 million from $299 million the year before. A substantial part of the settlement is anticipated to be funded by cyber insurance, which will cover $25 million of the $30 million total.