23andMe recently announced its intention to settle a class-action lawsuit amounting to $30 million, following allegations of inadequate protection of user data. In 2023, a data breach compromised the personal information of approximately half of the company’s user base, leading to increased skepticism surrounding the well-known ancestry service. Individuals who have engaged with 23andMe may be eager to determine their eligibility for potential compensation.
Based in San Francisco, 23andMe provides users with genetic testing services that offer insights into ancestry. The company revealed a data breach in October 2023, confirming that unauthorized access to customer data had occurred. However, it wasn’t until December that it disclosed the full scale of the incident, which began in April 2023. The breach affected nearly 7 million users out of its total 14 million account holders.
The lawsuit, initiated in January, raised concerns that 23andMe failed to adequately inform customers, particularly those of Chinese and Ashkenazi Jewish descent, that their data had been specifically targeted and subsequently posted on the dark web. This breach not only affected user trust but also raised significant questions about the company’s cybersecurity measures.
Under the proposed settlement, pending preliminary court approval, the company plans to allocate as much as $10,000 to qualified users depending on the documented hardships they faced due to the breach. A 23andMe representative stated, “We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all US claims regarding the 2023 credential stuffing security incident.” The company claims that they believe this resolution serves the best interests of their customers.
The settlement will specifically cover around 6.9 million users affected by the breach, mandating that they were US residents as of August 11, 2023, as part of the eligibility criteria. Within this group, approximately 5.5 million users who utilized the DNA Relatives feature are included, while the remaining 1.4 million engaged with the Family Tree service.
Compensation will be available for those able to substantiate that they experienced hardships due to identity theft stemming from the breach. Such claims may include expenses related to identity fraud or costs incurred from acquiring security measures. Additionally, users from states like Alaska, California, Illinois, and Oregon can expect smaller settlements based on specific genetic privacy laws in those jurisdictions.
In a bid to address user concerns and enhance security, 23andMe will also provide a three-year subscription to a security monitoring service called Privacy Shield. This service is designed to deliver comprehensive monitoring for potential threats on both the regular web and dark web.
For now, impacted users cannot apply for settlement compensation while the process undergoes judicial scrutiny. Updates on this particular matter will be disseminated as they surface, thus keeping affected individuals informed about next steps.
When considering the cybersecurity implications of this breach, tactics utilized may fall under several categories according to the MITRE ATT&CK framework. The initial vector of access could align with credential stuffing techniques, potentially allowing adversaries to leverage stolen credentials for unauthorized entry. Additionally, persistence tactics could have been employed to maintain access to systems post-breach, underscoring the necessity for robust security protocols to mitigate such risks in the future. Overall, this incident serves as a stark reminder of the vulnerabilities companies face in an increasingly digital landscape.
