In a major settlement, genetic testing giant 23andMe has agreed to pay $30 million to over 6.4 million individuals impacted by a significant data breach that occurred in October 2023. The breach exposed sensitive personal and genetic information, leading to a slew of lawsuits against the company.
The breach occurred when a hacker used stolen login credentials to access account information, including health data from 23andMe’s DNA Relatives and Family Tree profile services. The hacker was able to retrieve additional information on the relatives of account holders, further intensifying the severity of the breach. According to 23andMe, portions of the stolen data were later posted on the dark web.
At the time, cybersecurity researchers discovered files on BreachForums containing sensitive data of over one million users of Ashkenazi heritage, as well as data on over 300,000 users of Chinese heritage. The leak, which affected a total of 6.4 million users in the U.S., prompted legal action and government investigations.
Dozens of lawsuits were consolidated in the aftermath, and in July 2024, a mediator’s proposal of a $30 million settlement was accepted. Verita, a third-party claims administrator, has been appointed to oversee the distribution of the financial disbursements to those affected.
Despite agreeing to the settlement, 23andMe continues to deny any wrongdoing. The company emphasized in the settlement that this agreement should not be construed as an admission of guilt, liability, or fault. The settlement agreement explicitly states that 23andMe denies “any wrongdoing whatsoever” and that it cannot be viewed as evidence of any misconduct.
The breach targeted 23andMe’s DNA Relatives and Family Tree features, which allow users to share genetic information to discover potential familial relationships. The company has pointed out that participation in these features is voluntary, and users must opt-in. Furthermore, 23andMe argued that the information available through these features could not be used to cause financial harm or impersonation, as it simply reveals potential genetic relationships between users.
In response to the breach, authorities in Canada and the United Kingdom launched their own investigations into the data theft in June 2024.
In addition to the financial settlement, 23andMe has committed to improving its security measures. The company has pledged to enhance password protections, implement mandatory multi-factor authentication, provide annual security awareness training for staff, and conduct regular computer scans and cybersecurity audits. The results of these audits will be certified and submitted to the litigants’ legal teams for an undisclosed duration, ensuring continued oversight of the company’s security practices.
The breach serves as a stark reminder of the vulnerabilities that come with sharing personal genetic information online, and the importance of robust cybersecurity measures in safeguarding sensitive data.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
