23andMe Agrees to $30 Million Settlement in Data Breach Lawsuit
Genetic testing company 23andMe has reached a $30 million settlement in a class action lawsuit stemming from a data breach that affected over 6.9 million customers. The agreement, which requires judicial approval, includes compensation for affected individuals and provides access to a security monitoring program for three years.
The data breach, initially disclosed in October and fully confirmed in December, exposed sensitive customer information including names, birth years, and ancestry details. Users of the DNA Relatives feature were particularly impacted.
Investigators attributed the breach to credential stuffing, a technique where hackers use login information obtained from previous breaches to gain unauthorized access.
The class action lawsuit, filed in January 2024 in a San Francisco court, alleged that 23andMe failed to adequately protect customer privacy. Plaintiffs also claimed the company did not properly notify customers of Chinese or Ashkenazi Jewish heritage, who were reportedly targeted by hackers.
This security incident has dealt a significant blow to the already struggling company. CEO Anne Wojcicki’s recent attempt to take the company private was rejected, and the settlement has further highlighted concerns about 23andMe’s financial stability.
23andMe spokesperson Katie Watson stated that the company expects cyber insurance to cover $25 million of the $30 million settlement. The agreement aims to resolve all U.S. claims related to the 2023 security incident.
As the settlement awaits judicial approval, affected customers are advised to stay informed about compensation details and the offered security monitoring program.