Genetic testing company 23andMe has agreed to pay $30 million to settle a class-action lawsuit stemming from a 2023 data breach that exposed sensitive information of over 6.9 million customers.
As part of the settlement, affected users will receive compensation and free access to a security monitoring program for three years.
23andMe initially revealed the breach in October 2023 but didn’t provide full details of its scope until December. The breach impacted customers using the DNA Relatives feature, potentially exposing names, birth years, and ancestry data. The company attributed the breach to “credential stuffing,” a method where hackers use previously compromised login credentials to access accounts.
By January 2024, a class action lawsuit was filed in San Francisco, claiming that 23andMe failed to protect customer data adequately. Additionally, the lawsuit alleged that the company did not properly inform customers of Chinese or Ashkenazi Jewish heritage that they may have been targeted when hackers posted the stolen information for sale on the dark web.
This breach added to the troubles facing the company. 23andMe’s stock had already been in decline, and its CEO, Anne Wojcicki, attempted to take the company private earlier in the year. However, her offer was rejected by a special committee just a month before the settlement was reached. The settlement document also highlighted concerns about 23andMe’s financial situation, stating that a litigated judgment higher than the agreed settlement might be impossible to collect.
According to 23andMe spokesperson Katie Watson, the company expects its cyber insurance to cover $25 million of the settlement:
“We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all U.S. claims regarding the 2023 credential stuffing security incident. Counsel for the plaintiffs have filed a motion for preliminary approval of this settlement agreement with the court. Roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage. We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement.”
The settlement is still awaiting final approval from a judge.
