23andMe has agreed to pay $30 million to settle a class-action lawsuit stemming from a 2023 data breach that exposed the personal information of 6.4 million customers. The settlement, filed in a San Francisco federal court, is awaiting judicial approval. Once approved, the settlement will provide cash payments to affected customers, to be distributed within ten days. The data breach led to a wave of legal action and criticism, as the DNA testing giant faced claims that it failed to adequately safeguard sensitive genetic information.
The breach occurred in October 2023, when hackers used credential-stuffing attacks—where login credentials stolen from other breaches were used to access 23andMe accounts. Through these compromised accounts, threat actors gained access to personal information, including genetic data, health reports, and raw genotype information. Data for 6.4 million U.S. customers, 4.1 million users in the UK, and 1 million Ashkenazi Jews was leaked, with profiles being sold on the dark web and forums like BreachForums.
As part of the settlement, 23andMe has committed to implementing stronger security protocols to prevent future incidents. This includes mandatory two-factor authentication for all users, enhanced defenses against credential-stuffing attacks, and annual cybersecurity audits. The company will also create a formal data breach incident response plan and stop retaining personal data for inactive or deactivated accounts. Employees will receive annual training under an updated Information Security Program to ensure that new security measures are properly followed.
Despite agreeing to the settlement, 23andMe denies any wrongdoing or liability in the data breach. In a statement, the company said that it believes the settlement is fair, adequate, and reasonable, but rejected claims that it had failed to protect user data. The company also clarified that the settlement does not serve as an admission of fault but rather a step toward resolving the legal challenges resulting from the breach. This incident highlights the growing concerns over data privacy in the genetic testing industry, as more users entrust companies with sensitive personal information.
Reference:
