23andMe is close to settling a proposed class action lawsuit filed against the company over a data breach that compromised 6.9 million users’ information. According to the preliminary settlement filing, the DNA testing company has agreed to pay $30 million to affected customers, as well as to conduct annual computer scans and cybersecurity audits for three years. A website will be built to notify people eligible to a portion of the settlement fund and to facilitate payments. Affected users will also be sent a link where they can delete all their information from the service, and they’ll be able to enroll to a three-year Privacy & Medical Shield + Genetic Monitoring program for free. A judge still has to approve those terms.
In October 2023, the company admitted that the DNA Relatives profile information of roughly 5.5 million customers and the Family Tree profile information of 1.4 million DNA Relative participants had been leaked. It later revealed in a legal filing that the bad actors started breaking into customer accounts in late April 2023 and that they had access to its systems until September that year. It said that the hackers used a technique called credential stuffing, which uses previously compromised login credentials to access customer accounts.
The breach led to several class action lawsuits filed against the company, including one that accused 23andMe of failing to notify the plaintiffs that they were specifically targeted for having Chinese and Ashkenazi Jewish heritage. In the settlement agreement [PDF] for the consolidated lawsuit, 23andMe noted that it “denies the claims and allegations set forth in the Complaint” and that it “denies that it failed to properly protect the Personal Information of its consumers and users.”
According to Reuters, 23andMe describes its financial condition as “extremely uncertain.” In its financial report for the 2024 fiscal year, it revealed that it earned a total revenue of $220 million, down 27 percent from a $299 million revenue the year before. A huge chunk of the settlement money will come from cyber insurance, though, which the company expects to cover $25 million out of the $30 million total.
