Genetic testing company 23andMe has agreed to terms that will resolve a class action lawsuit the company is currently pursuing following a major data breach.
In October 2023, it was revealed that a hacker had gained access to 23andMe user accounts. Subsequent investigations confirmed that the DNA relative profiles of approximately 5.5 million people had been accessed, as well as Family Tree profile information for approximately 1.4 million DNA relatives who participated.
The hackers began their large-scale data theft in April 2023 and were active until September of the same year.
The terms of the settlement
In January 2024, the company blamed its customers for the breach. The hackers used credential stuffing to gain access to the accounts. According to 23andMe, users “negligently reused their passwords and failed to update them following previous security incidents unrelated to 23andMe.”
“Therefore, the incident did not result from 23andMe’s alleged failure to maintain reasonable security measures,” the company said at the time.
The victims have filed a class action lawsuit, which the company has now “closely settled.” All that remains is for the judge to approve the terms.
Under the settlement terms, which must still be approved by a judge, 23andMe will pay out $30 million to affected customers and conduct annual computer scans and cybersecurity audits for the next three years. It will set up a special website to notify eligible individuals about the payout and will provide everyone with an easy way to delete all of their files from the company’s servers.
Finally, victims receive a three-year Privacy & Medical Shield + Genetic Monitoring program for free.
How the settlement will affect the company’s business remains to be seen. Reuters reports that 23andMe described its financial condition as “extremely uncertain,” with revenue down a quarter (from $299 million to $220 million) year over year.
Via Engadget