Genetics testing company 23andMe has agreed to terms which could settle the class-action lawsuit it is currently facing following a major data breach.
News broke in October 2023 that a hacker had accessed accounts belonging to 23andMe users, with subsequent investigations confirming DNA Relatives profiles of some 5.5 million people were accessed, as well as Family Tree profile information of some 1.4 million DNA Relative participants.
The hackers started their grand theft data in April 2023, and were active until September the same year.
The terms of the settlement
In January 2024, the company laid the blame for the breach on its customers, as since the hackers used credential stuffing to access the accounts, 23andMe said users, “negligently recycled and failed to update their passwords following past security incidents unrelated to 23andMe.”
“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” it said at the time.
The victims still filed a class-action lawsuit, which the firm is now “close to settling”, with all that remains is for the judge to approve the terms.
Under the settlement terms, which the judge still needs to approve, 23andMe will pay out $30 million to affected customers, and will conduct annual computer scans and cybersecurity audits for the next three years. It will set up a dedicated website to notify eligible individuals of the payout, and will provide everyone with an easy way to delete all their files from the company’s servers.
Finally, victims will receive a three-year Privacy & Medical Shield + Genetic Monitoring program for free.
How the settlement affects the company’s business remains to be seen. Reuters says 23andMe described its financial condition as “extremely uncertain”, with revenues down by a quarter (from $299m to $220m) year-on-year.
Via Engadget