Summarize

Simplifying... Inshort

23andMe, a DNA testing company, has agreed to pay $30 million to settle a lawsuit over a data breach that exposed customer information.
The breach, which occurred last year, affected nearly half of the company's 14.1 million customers, revealing names, birth years, and ancestry details.
The lawsuit claimed that 23andMe failed to protect user privacy, particularly targeting customers of Chinese or Ashkenazi Jewish descent.

Was a long read? Making it simpler...

Next Article

The data breach impacted over 6.9 million customers

23andMe to pay $30M for settling data breach lawsuit

By Dwaipayan Roy

Sep 14, 2024

10:16 am

What's the story

23andMe, a prominent genetic testing company, has agreed to a $30 million settlement following a class action lawsuit. The lawsuit was filed in response to a significant data breach that impacted over 6.9 million customers. As part of the proposed agreement, the company will compensate its affected clients and offer them access to a security monitoring program for three years.

Breach aftermath

Data breach details and customer impact

The data breach was initially disclosed by 23andMe in October last year, but the full extent of its impact was not confirmed until December. Customers using the DNA Relatives feature may have had their names, year of birth, and ancestry information exposed due to this security incident. The company attributed the hack to credential stuffing, a method where hackers use previously exposed logins from other security breaches to access accounts.

Legal action

Class action lawsuit and specific targeting

In January 2024, a class action lawsuit was filed against 23andMe in a San Francisco court. The plaintiffs alleged that the firm failed to protect their privacy, and did not adequately inform customers of Chinese or Ashkenazi Jewish descent that they were specifically targeted by hackers. These hackers allegedly singled out these groups when selling the stolen information on the dark web.

Breach impact

Extent of the breach

The data breach, which started in April 2023 and lasted for approximately five months, impacted almost half of the 14.1 million customers in 23andMe's database at that time. The hacker reportedly gained access to 5.5 million DNA Relatives profiles, and information for an extra 1.4 million customers who used a feature called Family Tree. This incident has significantly affected the company's operations and financial stability.

Settlement details

Settlement agreement and company's future

The proposed settlement still requires judicial approval. Lawyers representing the plaintiffs have stated that the settlement addresses their clients' primary claims, and reflects the significant risks of further litigation considering 23andMe's challenging financial situation. They may seek legal fees of up to 25% of the settlement amount. The case is officially known as In re 23andMe Inc Customer Data Security Breach Litigation, US District Court, Northern District of California, No. 24-md-03098.