San Francisco, CA – DNA testing giant 23andMe has agreed to pay $30 million to settle a class-action lawsuit stemming from a data breach that compromised the personal information of 6.4 million customers in 2023. The proposed settlement, filed in a San Francisco federal court and awaiting judicial approval, includes cash payments for affected customers, which will be distributed within ten days of final approval.
“23andMe believes the settlement is fair, adequate, and reasonable,” the company stated in a memorandum filed on Friday.
The settlement addresses claims that 23andMe failed to adequately safeguard user privacy and neglected to inform customers about the targeted nature of the breach, where hackers reportedly offered stolen data for sale on the dark web.
The Breach: A Timeline of Events
The data breach, which occurred in October 2023, involved unauthorized access to customer profiles through compromised accounts. Hackers exploited credentials stolen from other breaches to gain access to 23andMe accounts, a tactic known as credential stuffing.
Following the discovery of the breach, 23andMe implemented measures to prevent similar incidents, including requiring customers to reset passwords and enabling two-factor authentication by default starting in November.
However, the damage was already done. Threat actors leaked data profiles belonging to 4.1 million individuals in the United Kingdom and 1 million Ashkenazi Jews on the unofficial 23andMe subreddit and hacking forums like BreachForums.
In December, 23andMe confirmed that data for 6.9 million customers, including information on 6.4 million U.S. residents, was downloaded in the breach. This included health reports and raw genotype data, stolen over a five-month credential-stuffing attack from April to September.
The Class action Settlement and the Lawsuits
The data breach sparked multiple class-action lawsuits, prompting 23andMe to amend its Terms of Use in November 2023, a move met with criticism from customers. The company later clarified that the changes aimed to simplify the arbitration process.
The proposed settlement, which is still awaiting judicial approval, represents a significant step towards addressing the concerns raised by the data breach.
The 23andMe Data Breach Settlement Details
The $30 million settlement will cover approximately 6.9 million 23andMe users whose data was compromised in the breach. To be eligible for the settlement, users must have been residents of the US on August 11, 2023.
The settlement includes various forms of compensation for affected users:
- Extraordinary Claims: Users who can prove they suffered significant financial or emotional hardship as a direct result of the breach can receive up to $10,000. This includes costs associated with identity fraud, falsified tax returns, physical security systems, and mental health treatment.
- State-Specific Payments: Residents of Alaska, California, Illinois, and Oregon, which have specific genetic privacy laws, will receive payments of around $100.
- Health Information Stolen: Users whose personal health information was compromised will receive a $100 payment.
23andMe’s Commitment to Enhanced Security
As part of the settlement, 23andMe has agreed to strengthen its security protocols. These include:
- Protections against credential-stuffing attacks: This will involve implementing measures to detect and prevent attempts to use stolen credentials from other breaches to access 23andMe accounts.
- Mandatory two-factor authentication for all users: This will add an extra layer of security to user accounts, requiring users to provide two forms of authentication before accessing their data.
- Annual cybersecurity audits: This will ensure that 23andMe’s security measures are regularly reviewed and updated to address emerging threats.
Beyond Security Enhancements
23andMe has also agreed to:
- Create and maintain a data breach incident response plan: This plan will outline the steps the company will take in the event of a future data breach, ensuring a swift and effective response.
- Stop retaining personal data for inactive or deactivated accounts: This will minimize the amount of sensitive data stored by 23andMe, reducing the potential impact of future breaches.
- Provide an updated Information Security Program to all employees during annual training sessions: This will ensure that all employees are aware of the company’s security policies and procedures, and are equipped to handle sensitive data responsibly.
The Impact of the Settlement
While the settlement does not absolve 23andMe of responsibility for the data breach, it represents a significant step towards addressing the concerns of affected customers. The financial compensation and security enhancements outlined in the settlement aim to provide a measure of justice and reassurance to those whose personal information was compromised.
The settlement also serves as a reminder of the importance of robust cybersecurity practices for companies that handle sensitive personal data. The breach highlights the need for companies to prioritize data security, implement strong authentication measures, and regularly review and update their security protocols to mitigate the risk of data breaches.