23andMe to pay $30 million in settlement over 2023 data breach

DNA testing giant 23andMe has agreed to a $30 million settlement to resolve a class-action lawsuit stemming from a 2023 data breach that exposed the personal information of 6.4 million customers. The proposed settlement, filed on Thursday in a San Francisco federal court, is pending judicial approval. Once approved, affected customers will be entitled to cash payments, which will be distributed within ten days of the final decision.

Background on the 2023 Data Breach

The breach occurred in early October 2023, when a third party gained unauthorized access to 23andMe customer accounts through a credential stuffing attack. The hacker then targeted users who had reused their login credentials across different platforms.

The information exposed included health data and sensitive genetic details shared through 23andMe’s DNA Relatives feature. This optional feature allows users to share genetic information with relatives who have also opted in. A subset of the breached data, excluding health information, was later posted on the dark web.

23andMe promptly notified its customers and law enforcement about the incident and published a public blog post on October 6, 2023, addressing the breach.

Lawsuits and Settlement Details

Following the breach, nearly 40 lawsuits were filed in federal courts, primarily in the Northern District of California. Plaintiffs accused 23andMe of failing to implement sufficient security measures to protect users' sensitive information. The lawsuits pointed to the company’s alleged negligence, breach of contract, and violations of several consumer protection laws, including genetic privacy and unfair competition statutes.

The settlement, reached after three mediations and extensive negotiations, aims to compensate affected users while ensuring the security of their data moving forward. 23andMe has emphasized that the settlement is "fair, adequate, and reasonable." The company also requested an injunction to halt parallel lawsuits and arbitration proceedings until the settlement is finalized. It said this would help prevent conflicting claims from undermining the agreed resolution.

Looking ahead

While the settlement awaits final court approval, it marks a significant moment in addressing the aftermath of the data breach, which compromised both the trust and privacy of millions of customers. As the legal proceedings unfold, 23andMe has vowed to enhance its security protocols and regain user confidence in the safety of their personal genetic information.