23andMe is nearing a settlement in a class action lawsuit filed against it over a data breach that exposed the information of 6.9 million users. According to tentative settlement documents, the DNA testing company has agreed to pay $30 million to affected customers and conduct computer scans and cybersecurity audits annually for three years. A website will be built to notify people who are eligible to receive a share of the settlement money and facilitate payment. Affected users will also be sent a link that allows them to remove all their information from the service and sign up for a three-year Privacy & Medical Shield + Genetic Monitoring program at no cost. Those terms still need to be approved by a judge.
The company acknowledged in October 2023 that DNA Relatives profile information for approximately 5.5 million customers and Family Tree profile information for 1.4 million DNA Relative participants had been compromised. The company later revealed in legal documents that hackers began breaking into customer accounts in late April 2023 and had access to the system until September of that year. The hackers used a technique known as credential stuffing, using previously compromised login credentials to access customer accounts, the company said.
The breach led to multiple class action lawsuits filed against the company, including one that accused 23andMe of failing to inform plaintiffs that they were specifically targeted because of their Chinese and Ashkenazi Jewish ancestry. In a settlement agreement (PDF) for the consolidated lawsuits, 23andMe stated that it “denies the claims and allegations set forth in the Complaint” and that it “failed to adequately protect the personal information of consumers and users.”
According to Reuters, 23andMe described its financial situation as “highly uncertain.” In its fiscal 2024 financial report, the company revealed total revenue of $220 million, down 27% from $299 million the previous year. However, the majority of the settlement will come from cyber insurance, and the company expects to cover $25 million of the $30 million total.
