A company that provides genetic testing and information about ancestry has settled a lawsuit with a class of plaintiffs for $30 million following a data breach last year.
The settlement has yet to be approved by a court. This settlement comes after the company confirmed in October that “threat actors” used 14,000 accounts (0.1% of their user base) to gain access to ancestry data of 6.9 million profiles. The data included DNA matches as well as profile pictures, birthdays, and family names.
Although 23andMe admitted the breach, it did not reveal the full extent of the breach until December. A class-action suit was filed in San Francisco the following month against 23andMe accusing them of failing to protect users’ information.
Learn about class actions and breach of contract.
Class-action lawsuit
A class action lawsuit filed in January accused 23andMe of failing to adequately protect user data and notify affected parties on time.
The settlement includes payments to those affected, including those who were affected by identity theft and those who needed to install physical security systems. The settlement also includes payments for people who reside in states with laws protecting genetic privacy. It also includes payments for anyone whose information about their health was compromised, as well as three years of access to the latest technology “Privacy & Medical Shield+ Genetic Monitoring”.
The company has admitted to no wrongdoing as part of a settlement agreement that will pay $30 million to the affected parties.
The agreement must be approved by a judge on Monday. Those who wish to take part in the legal action will receive additional information if the deal is approved.
23andMe issued a statement announcing that it had entered into a settlement agreement to pay $30 million to settle all U.S. claims of security relating to 2023 credential stuffing.
The cyber insurance will cover around $25 million of settlement costs and legal expenses.
23andMe data breach
In October, 23andMe reported on its website that a third party had stolen customer data using the DNA Relatives Service. During this time, the company temporarily disabled the service, stating that they believed a “threat act” gained access using a credential-stuffing technique. This involved using usernames and passwords that were available through other websites’ data breaches.
23andMe stated on its website that they “believe that threat actors have been able to access certain accounts by recycling login credentials.” “The usernames and passwords on 23andMe.com were identical to those used by other websites that had previously been hacked. ”
23andMe revealed the scope of the breach back in December. The company said the ancestry data of 6.9 million people had been compromised. 23andMe users “Relatives”, which use DNA to connect people, accounted for 5.5 million of the 6.9 million affected.
In an email, a company spokesperson said that there was no indication that our systems had been compromised or that 23andMe supplied the account credentials used in the attack.
What data was compromised by the data breach?
The company claims that the data accessed included personal and family information including:
- Profile information about DNA relatives
- Display Name
- The date and time the user last logged into their account
- Relationship labels
- The predicted relationship is based on the percentage of DNA they share and their DNA relatives.
- Their ancestry and matching DNA segments. Where on the chromosomes they and their relatives had matching DNA.
- Self-reported location (city/zip code)
- The birthplaces and family names of your ancestors
- A profile picture and birth year
- A link to the family tree, and any additional information that they may have included in “Introduce Yourself”.
Family Tree Information
- Display Name
- Relationship labels
- Birth year
- Self-reported location (city/zip code)