Judge hammer on dollar notes showing lawsuit settlement for data breach

Genetic Testing Company 23andMe Settles Data Breach Lawsuit for $30 Million

Genetic testing company 23andMe has settled a data breach lawsuit stemming from the 2023 cybersecurity incident that impacted the personal and genetic information of 6.9 million customers.

23andMe will pay $30 million in damages to class members of the January 2024 lawsuit filed in the U.S. District Court, Northern District of California, and provide three years of security monitoring.

The settlement terms also require the company to implement additional cybersecurity measures, to prevent the recurrence of similar data breaches.

23andMe settles data breach lawsuit but denies responsibility

Impacted customers will receive cash compensation within ten days of the final approval and enroll in a security program dubbed Privacy & Medical Shield + Genetic Monitoring for three years.

In addition, 23andMe will enhance its security protocols as part of the data breach lawsuit settlement, by implementing measures against credential stuffing attacks, enforcing mandatory two-factor authentication, and conducting annual cybersecurity audits.

Despite its “uncertain financial condition,” 23andMe described the data breach lawsuit settlement as fair, adequate, reasonable, and in the best interest of its customers.

However, the company warned that any judgment higher than the negotiated settlement could be uncollectable, hinting at the company’s dire financial situation.

Luckily, cybersecurity insurance will cover the bulk of the proposed compensation amount, $25 million, while 23andMe will foot the rest.

Meanwhile, the data breach lawsuit settlement absolved the genetic testing company from allegations the data breach lawsuit made including failing to “properly protect the personal information of its customers.”

Class members had also accused 23andMe of failing to properly notify individuals of Ashkenazi Jewish and Chinese origin who were specifically singled out when the threat actor leaked the stolen genetic information.

“23andMe denies any wrongdoing whatsoever, and this Agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of 23andMe with respect to any claim of any fault or liability or wrongdoing or damage whatsoever,” the settlement terms stated.

October 2023 data breach

The October 2023 23andMe data breach stemmed from credential stuffing attacks, which involved the use of login details from previous data breaches to compromise user accounts.

They accessed the names, birth years, and ancestry information of 5.5 million customers who used the DNA Relatives feature and 1.4 million profiles of those who used the Family Tree feature.

The genetic testing company responded by resetting customer accounts and enforcing two-factor authentication, akin to closing the stable door after the horse has bolted.

Subsequently, the threat actor leaked the DNA profiles of 1 million Ashkenazi Jews, individuals of Chinese descent, 4.1 million UK citizens, and 6.4 million Americans on BreachForums and Reddit.

They also accessed raw genotype data, which could expose affected individuals’ secret familial relationships and predisposition to certain hereditary health conditions.

This information violates the victims’ privacy and puts them at risk of potential health insurance- and employment-related discrimination.

Pharmaceutical companies could target predisposed individuals for certain medications while cybercriminals could extort victims by threatening to expose damaging information.

While a data breach lawsuit settlement hardly eliminates the security risks of leaking sensitive personal information, it forces companies to rethink their cybersecurity practices.

The settlement amount also compensates victims for the emotional distress experienced. It could assist them in addressing certain cybersecurity risks and cover legal fees, which could take up to 25% of the gross payout.

While cybersecurity insurance will prevent 23andMe from going bankrupt, the company also grapples with additional financial issues, including lost profit and plummeting stocks, which fell below $1 from $10.

23andMe CEO Anne Wojcicki had unsuccessfully attempted to make the company private “as promptly as possible” by acquiring all the common stock at 40 cents per share, as the company struggled to raise steady revenue.

Suffice to say, the data breach lawsuit demonstrates that a cyber attack existentially threatens the affected company, underscoring the need for preventive measures.