23andMe Data Breach Settlement
The genetic testing and ancestry company 23andMe has agreed to a $30 million settlement in response to a class-action lawsuit related to a data breach that happened last year. The breach affected 6.9 million users. The settlement, awaiting a judge’s approval, follows the company’s October revelation that “threat actors” exploited around 14,000 accounts—about 0.1% of its user base—to access the ancestry data of 6.9 million profiles. The breached data included users’ account details, locations, ancestry reports, DNA matches, family names, profile pictures, birthdates, and more.
The Data Breach
In October of 2023, 23andMe announced on its website that an external entity had stolen information from customers utilizing its DNA Relatives feature. The company temporarily suspended the service, stating it believed “threat actors” had accessed accounts through a method known as credential stuffing. Which involves using usernames and passwords that had previously been exposed in data breaches from other websites or otherwise made available.
The breach was orchestrated by someone who specifically targeted Ashkenazi Jewish and Chinese users. The attacker had free access to the company’s systems for five months before the breach was discovered. With the issue being exposed only after a Reddit post mentioned the sale of 23andMe data.
What To Know About The Class Action Suit
The class-action lawsuit filed in January alleges that 23andMe did not sufficiently safeguard user data and failed to promptly notify those affected, among other issues. The settlement terms include compensation for individuals impacted by the security breach to cover expenses related to identity theft protection. The installation of physical security measures, or mental health treatment. Additionally, there will be payments for residents of states with genetic privacy laws. Compensation for all individuals whose health information was compromised, and three years of access to advanced “Privacy & Medical Shield + Genetic Monitoring” for all settlement participants who choose to enroll.
The DNA testing company has cooperated to pay 30 million dollars to settle the lawsuit over the data breach . In a memorandum filed by the company, the company stated that,”23andMe believes the settlement is fair, adequate, and reasonable,”. 23andMe has also coincided to enhance its security measures. Including measures to prevent credential-stuffing attacks, implementing mandatory two-factor authentication for every user and conducting an annual cybersecurity audit.
The company is also required to develop and maintain a data breach incident response plan and to cease retaining personal data for inactive or deactivated accounts. Additionally, an updated Information Security Program will be shared with all employees during annual training sessions.
The Impact On The Company
23andMe’s shares have never been particularly valuable, and its market capitalization has significantly dropped since the breach was made public. In its latest earnings report from early last month. The company reported significant losses, with revenue down 34% compared to the same period last year. Quarterly losses of $69 million, and more than a 20% decrease in cash reserves, totaling only $170 million on the balance sheet.
Therefore This settlement isn’t just a minor expense; it will impact 23andMe’s financial reserves.
However, insurance will help mitigate the financial hit. In a statement to Reuters, 23andMe indicated that it anticipates around $25 million of its settlement costs will be covered by insurance.
Written by Jaliyah Triplett
Sources:
BLEEPINGCOMPUTER: 23andMe to pay $30 million in genetics data breach settlement by Sergiu Gatlan
The Register: 23andMe settles class-action breach lawsuit for $30 million by Brandon Vigliarolo
USA Today: 23andMe agrees to $30 million settlement over data breach that affected 6.9 million users by
Featured Image Courtesy of Richard Patterson Flickr Page- Creative Commons License
First Inset Image Courtesy of Stock Catalog Flickr Page- Creative Commons License
Second Inset Image Courtesy of Karen Neoh Flickr Page- Creative Commons License
