23andMe willing to pay $ 30M to settle data breach
23andMe has agreed to pay $ 30 million to settle a lawsuit over a data breach that exposed personal information of 6.9 million customers.
23andMe is a South San Francisco-based company where people can have their DNA tested for customer’s ancestry, genetic predisposition, and health-related topics.
In October 2023, 23andMe was hit by a credential stuffing attack. In the attack, hackers managed to gain access to 0.1 percent of all accounts, or roughly 14,000 profiles.
Furthermore, the attackers enabled a feature called DNA Relatives, which allows users to automatically share some of their data with distant relatives. Because of that the private data of 6.9 million users was up for grabs, including full names, dates of birth, location data, relationship status, health and family tree data, and information that users voluntarily shared to get in touch with descendants.
In January 2024, customers filed a class action lawsuit against 23andMe, arguing the company failed to protect their privacy and claiming they weren’t properly notified when the incident happened.
Before the jury could reach a verdict, the plaintiff and defendant were able to reach a settlement, which was filed last week and is awaiting judicial approval.
23andMe promises to strengthen its security protocols, including better password protection, mandatory two-factor authentication (2FA), annual security awareness training for staff members, and annual cybersecurity audits. Also, the company has to create and maintain a data breach incident response plan and stop retaining personal information of customers who have an inactive or deactivated account.
Victims aren’t going to get rich. The settlement proposes an offer of up to $ 10,000 for users who filed a so-called ‘extraordinary claim’, meaning they can prove the data breach caused them to suffer financial fraud. The cap for extraordinary claims has been set to $ 5 million. Other users are entitled to a payment of $ 100.
Finally, 23andMe agreed to pay for identity and fraud monitoring services for three years to all affected users.
“23andMe believes that the settlement is fair, adequate, and reasonable,” the company said in a memorandum that was registered last Friday.
Your email address will not be published. Required fields are marked