Genetic testing company 23andMe has agreed to pay $30 million to settle a class action lawsuit stemming from a data breach that exposed the personal information of over 6.9 million customers.
The Verge reports that 23andMe, the popular genetic testing company, has reached a settlement agreement to resolve a class action lawsuit filed by customers affected by a massive data breach in 2023. The breach, which the company disclosed in October of that year, exposed sensitive information of more than 6.9 million users, including names, birth years, and ancestry data.
As part of the proposed settlement, 23andMe will compensate the affected customers and provide them with access to a three-year security monitoring program. The settlement, which still requires approval from the judge, aims to address the concerns raised by the plaintiffs regarding the company’s failure to adequately protect their privacy.
The data breach, attributed to a tactic known as credential stuffing, involved hackers using recycled login credentials from previous security breaches to gain unauthorized access to 23andMe accounts. However, it wasn’t until December that the company confirmed the full extent of the breach’s impact.
In January 2024, customers filed a class action lawsuit against 23andMe in a San Francisco court, alleging that the company had not only failed to safeguard their personal information but also neglected to properly notify customers with Chinese or Ashkenazi Jewish heritage that they had been specifically targeted by the hackers when their data was put up for sale on the dark web.
The breach dealt a significant blow to 23andMe, which was already struggling financially. CEO Anne Wojcicki’s attempt to take the company private earlier this year was rejected by the special committee last month. The settlement agreement acknowledges concerns about the company’s financial situation, stating, “Any litigated judgment significantly more than the Settlement is likely to be uncollectable.”
23andMe spokesperson Katie Watson revealed that the company expects its cyber insurance to cover $25 million of the settlement. In a statement to the Verge, Watson said, “We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all U.S. claims regarding the 2023 credential stuffing security incident. Counsel for the plaintiffs have filed a motion for preliminary approval of this settlement agreement with the court. Roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage. We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement.”
Read more at the Verge here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship.
COMMENTS
Please let us know if you're having issues with commenting.