23andMe agrees to pay $30 million to settle lawsuit over massive data breach

Image: Getty 23andMe will pay $30 million to settle a class action lawsuit over a data breach that affected more than 6.9 million customers. As part of the proposed settlement, the genetic testing site will compensate affected customers and provide them with access to a security monitoring program for three years. 23andMe disclosed the data breach last October, but it didn’t confirm the overall impact until December. Customers using the DNA Relatives feature may have had information like names, birth years, and ancestry information exposed through the breach. At the time, 23andMe attributed the hack to credential stuffing, a tactic that involves logging in to accounts using recycled logins exposed in previous security breaches. In January 2024, customers filed a class action lawsuit against 23andMe in a San Francisco court, alleging the company failed to protect their privacy. They also claimed the company didn’t properly notify customers with Chinese or Ashkenazi Jewish heritage that hackers appeared to single them out when putting information up for sale on the dark web. The breach dealt a big blow to the already struggling company. As 23andMe’s stock price continued to crater, 23andMe CEO Anne Wojcicki attempted to take the company private earlier this year, but the special committee rejected the offer last month. The settlement mentions concerns surrounding the company’s finances, saying, “Any litigated judgment significantly more than the Settlement is likely to be uncollectable.” In a statement to The Verge, 23andMe spokesperson Katie Watson said the company expects cyber insurance to cover $25 million of the settlement: We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all U.S. claims regarding the 2023 credential stuffing security incident. Counsel for the plaintiffs have filed a motion for preliminary approval of this settlement agreement with the court. Roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage. We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement. The proposed settlement still needs approval from the judge.

23andMe agrees to pay $30 million to settle lawsuit over massive data breach
An image showing the 23andMe test
Image: Getty

23andMe will pay $30 million to settle a class action lawsuit over a data breach that affected more than 6.9 million customers. As part of the proposed settlement, the genetic testing site will compensate affected customers and provide them with access to a security monitoring program for three years.

23andMe disclosed the data breach last October, but it didn’t confirm the overall impact until December. Customers using the DNA Relatives feature may have had information like names, birth years, and ancestry information exposed through the breach. At the time, 23andMe attributed the hack to credential stuffing, a tactic that involves logging in to accounts using recycled logins exposed in previous security breaches.

In January 2024, customers filed a class action lawsuit against 23andMe in a San Francisco court, alleging the company failed to protect their privacy. They also claimed the company didn’t properly notify customers with Chinese or Ashkenazi Jewish heritage that hackers appeared to single them out when putting information up for sale on the dark web.

The breach dealt a big blow to the already struggling company. As 23andMe’s stock price continued to crater, 23andMe CEO Anne Wojcicki attempted to take the company private earlier this year, but the special committee rejected the offer last month. The settlement mentions concerns surrounding the company’s finances, saying, “Any litigated judgment significantly more than the Settlement is likely to be uncollectable.” In a statement to The Verge, 23andMe spokesperson Katie Watson said the company expects cyber insurance to cover $25 million of the settlement:

We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all U.S. claims regarding the 2023 credential stuffing security incident. Counsel for the plaintiffs have filed a motion for preliminary approval of this settlement agreement with the court. Roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage. We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement.

The proposed settlement still needs approval from the judge.