23andMe Settles for $30M Over Data Breach Impacting 6.9 Million Users

Ancestry and genetics-testing company 23andMe has reached a $30 million settlement in response to a class-action lawsuit stemming from a data breach that occurred last year. The settlement awaits judicial approval.

In October, 23andMe acknowledged that “threat actors” accessed around 14,000 accounts, which is about 0.1% of its total user base, exposing the ancestry data of approximately 6.9 million connected profiles. The breach leaked sensitive information including users’ account details, location data, ancestry reports, DNA matches, family names, profile pictures, and birthdates.

The company initially confirmed the existence of the breach in October but did not disclose its full extent until December. A class-action lawsuit was subsequently filed in San Francisco, alleging that 23andMe failed to adequately protect its users’ personal information and neglected to notify certain individuals that data from those of Chinese or Ashkenazi Jewish heritage appeared to be specifically targeted during the breach.

The class-action lawsuit alleges that 23andMe inadequately safeguarded user data and failed to inform affected users promptly, among other grievances. The proposed settlement terms include compensating individuals impacted by the breach to help cover costs related to identity theft, the installation of security systems, or mental health treatment. Additionally, payments are set for those living in states with genetic privacy regulations and for all users whose health information was compromised. Enrolled settlement members will also receive three years of access to advanced “Privacy & Medical Shield + Genetic Monitoring.”

As part of the settlement agreement, 23andMe did not admit any wrongdoing. A judge must still approve the settlement, and upon approval, more detailed information will be provided to those wishing to participate in the legal resolution. In a statement, 23andMe confirmed, “We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all U.S. claims regarding the 2023 credential stuffing security incident. We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement.”

Interestingly, about $25 million of the settlement and associated legal expenses are expected to be financed through cyber insurance coverage.

In October, 23andMe announced on its website that an external entity had breached information from customers utilizing its DNA Relatives feature. The company temporarily disabled this service, suggesting that cybercriminals had gained unauthorized access via a method known as credential stuffing, where they utilized compromised usernames and passwords from data breaches at other sites.

According to 23andMe, “We believe threat actors were able to access certain accounts in instances where users recycled login credentials—namely, usernames and passwords common across sites that had been previously hacked.”

By December, the full ramifications of the breach came to light. Ancestry data affecting 6.9 million users were compromised, including 5.5 million individuals who opted into the “Relatives” feature, designed to connect users with common DNA relatives. An additional 1.4 million users also had their family tree information accessed.

Despite the breach, 23andMe maintained that there was no indication of a data security incident within their systems or that they were the source of the compromised account credentials used in these attacks. A spokesperson reiterated this in their communications at the time.

The data that was accessed comprised a wide array of personal and familial information, including specific details about DNA relatives. This information included display names, last login times, relationship labels, predicted relationships, shared DNA percentages with DNA relatives, ancestry reports, self-reported locations, names and birth locations of ancestors, profile pictures, birth years, and links to users’ family trees.

As for family tree data, the exposed information included display names, relationship labels, birth years, and self-reported locations as well.

Source: USA Today