DNA testing large 23andMe has agreed to pay $30 million to settle a lawsuit over an information breach that uncovered the non-public data of 6.4 million prospects in 2023.
The proposed class motion settlement, filed Thursday in a San Francisco federal courtroom and awaiting judicial approval, contains money funds for affected prospects, which will likely be distributed inside ten days of ultimate approval.
“23andMe believes the settlement is fair, adequate, and reasonable,” the corporate mentioned in a memorandum filed Friday.
23andMe has additionally agreed to strengthen its safety protocols as a part of the settlement. These embrace protections towards credential-stuffing assaults, obligatory two-factor authentication for all customers, and annual cybersecurity audits.
The corporate should additionally create and preserve an information breach incident response plan and cease retaining private information for inactive or deactivated accounts. An up to date Data Safety Program will even be supplied to all staff throughout annual coaching periods.
“23andMe denies the claims and allegations set forth in the Complaint, denies that it failed to properly protect the Personal Information of its consumers and users, and further denies the viability of Settlement Class Representatives’ claims for statutory damages,” the corporate mentioned within the filed preliminary settlement.
“23andMe denies any wrongdoing whatsoever, and this Agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of 23andMe with respect to any claim of any fault or liability or wrongdoing or damage whatsoever.”
This settlement addresses claims that the genetic testing firm did not safeguard customers’ privateness and uncared for to tell prospects that hackers particularly focused them and their data was reportedly provided on the market on the darkish net.
Knowledge stolen following credential-stuffing assault
In October 2023, 23andMe revealed that unauthorized entry to buyer profiles occurred by way of compromised accounts. Hackers exploited credentials stolen from different breaches to entry 23andMe accounts.
After discovering the breach, the corporate carried out measures to dam related incidents, together with requiring prospects to reset passwords and enabling two-factor authentication by default beginning in November.
Beginning in October, menace actors leaked information profiles belonging to 4.1 million people in the UK and 1 million Ashkenazi Jews on the unofficial 23andMe subreddit and hacking boards like BreachForums.
23andMe informed BleepingComputer in December that information for six.9 million prospects, together with data on 6.4 million U.S. residents, was downloaded within the breach.
In January, the corporate additionally confirmed that attackers stole well being reviews and uncooked genotype information over a five-month credential-stuffing assault from April to September.
The information breach led to a number of class-action lawsuits, prompting 23andMe to amend its Phrases of Use in November 2023, a transfer criticized by prospects. The corporate later clarified that the adjustments aimed to simplify the arbitration course of.
