23andMe Agrees to $30 Million Settlement Following Data Breach

Ancestry and genetics-testing company 23andMe has reached a $30 million settlement agreement in response to a class-action lawsuit stemming from a data breach that occurred last year. The settlement, which is still pending judicial approval, addresses the company's handling of a security incident that impacted millions of users.

In October 2023, 23andMe confirmed that "threat actors" had gained unauthorized access to approximately 14,000 accounts, representing about 0.1% of the company's user base. Through these compromised accounts, the attackers were able to access the ancestry data of 6.9 million connected profiles.

The breach, which was not fully disclosed until December, exposed sensitive user information including account details, location data, ancestry reports, DNA matches, family names, profile pictures, and birthdates.

A class-action lawsuit was filed in San Francisco in January 2024, accusing 23andMe of failing to adequately protect users' personal information. The lawsuit also alleged that the company neglected to notify certain users, particularly those with Chinese or Ashkenazi Jewish heritage, whose data appeared to be targeted in the breach. Additionally, the suit claimed that 23andMe delayed notification of the full extent of the breach.

Settlement Terms

While admitting no wrongdoing, 23andMe has agreed to a $30 million settlement. The proposed terms include payments to affected individuals for expenses related to identity theft protection and mental health treatment. Those living in states with genetic privacy laws will receive compensation, as will individuals whose health information was leaked. All settlement members who enroll will receive three years of access to "Privacy & Medical Shield + Genetic Monitoring."

The company stated that approximately $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance. The settlement agreement is still subject to judicial approval. If approved, more information will be made available for affected parties seeking to participate in the legal action.

23andMe has stated that they believe this settlement is in the best interest of their customers and look forward to finalizing the agreement. The company maintains that there was no breach within their systems, attributing the incident to a "credential stuffing" attack where threat actors used login information from other compromised websites.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.