DNA testing company 23andMe has agreed to a $30 million settlement following a substantial data breach that compromised the personal information of 6.4 million customers. Filed in a San Francisco federal court, the settlement is currently awaiting judicial approval.
The proposed class action settlement includes cash payments for affected customers, distributed within ten days post-final approval. 23andMe has publicly stated that they believe the settlement is "fair, adequate, and reasonable." Notably, the company continues to deny any wrongdoing or negligence in protecting its customers’ personal information.
In response to the breach, 23andMe has committed to bolstering its security infrastructure significantly. The enhancements include implementing protections against credential-stuffing attacks, requiring two-factor authentication (2FA) for all users, and conducting annual cybersecurity audits.
Establishing a comprehensive data breach incident response plan, ceasing the retention of personal data for inactive or deactivated accounts, and providing updated Information Security Program training to all employees annually are also on the list.
The privacy authorities for Canada and the U.K. started a joint investigation into the data breach in June.
The security incident was discovered in October 2023 and revealed that unauthorized access to customer profiles occurred via credential-stuffing attacks. The hackers used customers' old passwords to steal data such as family trees, birth years, and geographic locations from 14,000 user accounts.
The breach incited multiple class-action lawsuits, which pressured 23andMe to amend its Terms of Use in November 2023—a move that faced customer backlash. The company clarified that these changes were intended to streamline the arbitration process rather than evade responsibility.
Several other data breaches have been seen in the past couple of months, which hit Patelco Credit Union, Texas Dow Employees Credit Union, Toyota, Michigan Medicine, and more.