23andMe Data Breach Settlement: $30 Million for 6.9 Million Customers

Details of the $30 Million Settlement

23andMe has agreed to pay $30 million to settle a class action lawsuit resulting from a massive data breach affecting more than 6.9 million customers. This settlement, aimed at compensating impacted customers, also provides them access to a security monitoring program for three years. The breach was disclosed in October 2023, with confirmation of its impact coming in December.

Nature and Impact of the Data Breach

• Credential stuffing was blamed for the hack, where log-ins from previous breaches were reused.
• Personal information, including names, birth years, and ancestry data may have been exposed.

Legal Actions Taken

In January 2024, a class action lawsuit was filed against 23andMe in San Francisco. Customers accused the company of not adequately protecting their privacy, particularly targeting users with Chinese or Ashkenazi Jewish heritage.

Company's Financial Concerns

The breach has further harmed 23andMe's already struggling financial position. CEO Anne Wojcicki's attempts to take the company private were recently rejected. The settlement outlines concerns about the company's ability to pay more in damages, stating that any substantial litigated judgment might be uncollectable.

Next Steps for the Settlement

A spokesperson for 23andMe confirmed that roughly $25 million of the settlement is expected to be covered by cyber insurance. The company remains optimistic about finalizing the settlement agreement pending judicial approval.