A sign is posted in front of the 23andMe headquarters on February 01, 2024 in Sunnyvale, California. Genetic testing company 23andMe, once valued at $6 billion, is facing the possibility of delisting from NASDAQ as the company navigates numerous class action lawsuits (Photo by Justin Sullivan/Getty Images)
The DNA testing company 23andMe has agreed to pay $30 million in order to resolve a lawsuit arising from a data breach in 2023 that resulted in the exposure of over six million users’ personal data and information.
Affected customers will receive cash payouts as part of the proposed class action settlement, which was submitted on Thursday to a federal court in San Francisco, California, and is pending judicial approval. The payments will be disbursed ten days after final approval.
“23andMe believes the settlement is fair, adequate, and reasonable,” the company said in a memorandum filed on Friday.
Additionally, 23andMe has committed to bolstering its security measures, which will include yearly cybersecurity audits, two-factor authentication being required for all users, and defenses against credential-stuffing attacks.
The business must discontinue keeping personal information for accounts that are deactivated or inactive and both develop and maintain a data breach incident response plan. Every employee will receive an updated “Information Security Program” during yearly training sessions.
However, “23andMe [still] denies the claims and allegations set forth in the Complaint, denies that it failed to properly protect the Personal Information of its consumers and users, and further denies the viability of Settlement Class Representatives’ claims for statutory damages,” the company stated in the filed preliminary settlement.
“23andMe denies any wrongdoing whatsoever, and this Agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of 23andMe with respect to any claim of any fault or liability or wrongdoing or damage whatsoever,” it continued.
This settlement resolves allegations that the genetic testing company violated privacy laws, failed to notify clients that they were being targeted by hackers, and that their data was purportedly being sold on the dark web.
Beginning in October 2023, on the unauthorized 23andMe subreddit and hacking forums like BreachForums, threat actors disclosed data profiles belonging to 4.1 million people in the United Kingdom and specifically “1 million Ashkenazi Jews” globally.
In December, 23andMe informed the outlet BleepingComputer that the hack had resulted in the download of data for 6.9 million consumers, including 6.4 million Americans.
The company also said in January that during a five-month credential-stuffing attack from April to September, hackers took raw genetic data and health reports.
Following many class-action lawsuits resulting from the data leak, 23andMe revised its Terms of Use in November 2023, a decision that was met with criticism from users. Later, the corporation made it clear that the modifications were made to make the arbitration procedure simpler.