23andMe to pay $30M to settle lawsuit over 2023 data breach

Genetic testing company 23andMe has agreed to pay $30 million to settle a class action lawsuit from customers impacted by a 2023 data breach when hackers accessed the personal data of millions of users on the platform.

The complaint accused 23andMe of failing to adequately protect users’ information and failing to sufficiently notify users of the breach, as well as other claims. The company denied any wrongdoing as part of the settlement agreement.

“We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement,” a spokesperson for 23andMe told in a statement.

The settlement is still pending approval by a judge.

DICK’S SPORTING GOODS HIT BY CYBERATTACK

The spokesperson also noted that around $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage. 

The profile information of some 23andMe customers started appearing on the dark web in October 2023, with bad actors offering compilations of the information for a price. Names, birth years, genders, ancestry and certain other non-DNA profile information were reportedly among the details that were published.

TOYOTA HAS A DATA DILEMMA AFTER HACKERS LEAK 240GB OF CUSTOMER INFORMATION

The California-based company then confirmed in December of that year that hackers stole personal data from approximately 6.9 million users – or roughly half of its entire customer base. 

A 23andMe in Mountain View, California, on Oct. 28, 2018. (Smith Collection/Gado/Getty Images / Getty Images)

Hackers were able to breach those accounts because the customers had used the same username and password on 23andMe as they had on other websites that had been previously compromised.

GET BUSINESS ON THE GO BY CLICKING HERE

The cybersecurity industry commonly refers to that tactic as credential stuffing.

‘ Aislinn Murphy and Bradford Betz contributed to this report.