Substantial Data Breach Impacts 23andMe Customers: $30 Million Settlement Announced
In 2023, a significant data breach at genetic testing giant 23andMe led to a prolonged period of upheaval for the company, which is based in San Francisco. This breach, announced in October 2023, involved unauthorized access to sensitive customer information, with the full extent of the incident becoming clear only in December. Around 14 million customers were potentially affected, with approximately half having their personal data exposed.
The breach reportedly began in April 2023, when hackers launched an attack on the company’s systems. The subsequent lawsuit, filed in January 2024, alleged that 23andMe had failed to adequately protect its customers’ data. Specifically, the complaints highlighted that some users of Chinese or Ashkenazi Jewish descent were not promptly informed that their information was particularly targeted and subsequently disseminated on the dark web. In response to these allegations, 23andMe opted to settle the lawsuit for a substantial $30 million.
A spokesperson for 23andMe confirmed the settlement, emphasizing that it serves the best interests of their customers while noting that the company remains committed to improving data security measures. Affected individuals now have the opportunity to file claims as a part of this settlement, with eligible claimants potentially receiving payments of up to $10,000 depending on the extent of the hardships incurred due to the breach.
To qualify for a share of the settlement, customers must demonstrate residency in the U.S. as of August 11, 2023, and will be part of a class that includes approximately 6.9 million users. This group encompasses around 5.5 million individuals who utilized 23andMe’s DNA Relatives feature, alongside 1.4 million users of the Family Tree service, which connects users based on shared DNA data.
As part of the settlement, individuals in states with specific genetic privacy laws—such as Alaska, California, Illinois, and Oregon—may receive approximately $100, while a smaller subset whose health information was compromised can claim an additional $100. Notably, 23andMe is also offering three years of enhanced security monitoring through a service called Privacy Shield, designed to provide both web and dark web monitoring for affected customers.
The breach’s tactics could potentially relate to the MITRE ATT&CK framework, suggesting that adversaries may have employed methods associated with initial access and credential stuffing. Initial access typically refers to techniques that allow an attacker to gain unauthorized access to a system, while credential stuffing involves the use of stolen usernames and passwords to breach additional accounts.
For those wishing to file claims electronically, a secure online portal is available for submissions, alongside options for traditional mail. Claimants wishing to receive proof of their submissions can also request documentation through the designated channels. The deadline for filing claims is set for July 14, making it imperative for affected users to act promptly.
In summary, the data breach at 23andMe serves as a reminder of the critical importance of robust cybersecurity measures in today’s digital landscape. Business owners and professionals must remain vigilant against such threats, implementing preventive measures to safeguard sensitive information and mitigate the risks of potential breaches.
