23andMe has agreed to pay $30 million to settle a class action lawsuit over a data breach that exposed the personal information of 6.9 million customers in 2023. The settlement, filed in a San Francisco federal court, includes cash payments for affected customers and requires the company to implement enhanced security measures. The data breach occurred due to a credential stuffing attack, where hackers used compromised login credentials from other breaches to access 23andMe accounts.
The unauthorized access lasted from April to September 2023, and the company disclosed the breach in October of the same year. As part of the settlement, 23andMe will provide cash payments to affected customers within ten days of final approval. The company will also strengthen its security protocols, including protections against credential-stuffing attacks, mandatory two-factor authentication for all users, and annual cybersecurity audits.
Additionally, 23andMe must create and maintain a data breach incident response plan and stop retaining personal data for inactive or deactivated accounts. The settlement addresses claims that 23andMe failed to safeguard users’ privacy and neglected to inform customers that hackers specifically targeted them and that their information was reportedly offered for sale on the dark web.
23andMe settles data breach claims
The company denies any wrongdoing and maintains that it took appropriate measures to protect personal information. The data breach led to the leak of DNA Relatives profile information of approximately 5.5 million customers and the Family Tree profile information of 1.4 million DNA Relative participants. The breach also resulted in the theft of health reports and raw genotype data.
23andMe’s financial condition has been described as “extremely uncertain,” with a reported total revenue of $220 million for the 2024 fiscal year, down 27 percent from the previous year. Out of the $30 million settlement, $25 million is expected to be covered by cyber insurance. The proposed settlement is still pending approval by a judge.
As part of the agreement, 23andMe will create a dedicated website to inform eligible individuals about compensation, facilitate payments, and provide a link for users to delete their information from the service. Affected users will also be able to enroll in a three-year Privacy & Medical Shield + Genetic Monitoring program for free.