23andMe Agrees to $30 Million Settlement in Data Breach Lawsuit Affecting 6.4 Million Customers

As reported by BleepingComputer , 23andMe, the DNA testing giant, has agreed to pay $30 million to settle a lawsuit stemming from a data breach in 2023 that exposed the personal information of 6.4 million customers. 

The proposed class-action settlement was filed on Thursday in a San Francisco federal court and is currently awaiting judicial approval. According to the terms of the settlement, affected customers will receive cash payments, which will be distributed within ten days of the final approval.

In a memorandum filed Friday, 23andMe stated, "23andMe believes the settlement is fair, adequate, and reasonable." However, the company has continued to deny any wrongdoing or negligence in relation to the breach.

"23andMe denies the claims and allegations set forth in the Complaint, denies that it failed to properly protect the Personal Information of its consumers and users, and further denies the viability of Settlement Class Representatives’ claims for statutory damages," the company said in its preliminary settlement filing. The company emphasized that this settlement should not be construed as an admission of fault or liability.

As part of the settlement, 23andMe has agreed to bolster its security protocols to prevent future breaches. These enhancements include protections against credential-stuffing attacks and the implementation of mandatory two-factor authentication for all users. The company has also pledged to conduct annual cybersecurity audits and maintain a comprehensive data breach incident response plan.

Additionally, 23andMe will stop retaining personal data for inactive or deactivated accounts. Employees will receive updated information on security practices through an annual training program that aligns with the company’s newly enhanced Information Security Program.

The lawsuit addressed claims that 23andMe failed to protect user privacy and neglected to inform customers that their information was being targeted by hackers and later offered for sale on the dark web.

In October 2023, the company revealed that hackers had accessed customer profiles by exploiting credentials stolen from other breaches. This credential-stuffing attack allowed unauthorized access to 23andMe accounts, leading to the exposure of sensitive genetic information.

Following the discovery of the breach, 23andMe took immediate steps to mitigate the impact. Customers were required to reset their passwords, and two-factor authentication was made a default requirement starting in November. Despite these efforts, data profiles of approximately 4.1 million individuals in the United Kingdom and 1 million Ashkenazi Jews were leaked on hacking forums, including the unofficial 23andMe subreddit and BreachForums.

By December, 23andMe confirmed that the breach affected data belonging to 6.9 million customers, including personal information for 6.4 million U.S. residents. The company later acknowledged that hackers had accessed health reports and raw genotype data during a five-month-long credential-stuffing attack from April to September.

The data breach resulted in multiple class-action lawsuits against 23andMe. The company’s subsequent amendment of its Terms of Use in November 2023 drew criticism from customers, who saw the changes as an attempt to limit liability. 23andMe later clarified that the amendments were intended to simplify the arbitration process, rather than evade responsibility.

The settlement agreement not only provides financial compensation to affected customers but also mandates significant security enhancements to prevent similar incidents in the future. By committing to a stronger security posture, 23andMe aims to restore trust with its users and set a precedent for other companies handling sensitive genetic information.

The court's approval of this settlement could mark a turning point in how genetic testing companies address data security and privacy, emphasizing the need for robust safeguards in protecting user data from cyber threats.