23andMe is nearing a settlement of $30 million in response to a class action lawsuit stemming from a data breach that exposed the personal information of 6.9 million users. The proposed settlement includes compensation for affected customers, along with enhanced security measures such as annual computer scans and cybersecurity audits over the next three years.
A dedicated website will be established to inform eligible users about settlement and payment processing. Additionally, impacted users will be given the option to delete their information from the service and can enroll in a free three-year Privacy & Medical Shield + Genetic Monitoring program. The settlement terms are still awaiting judicial approval.
The data breach, disclosed by 23andMe in October 2023, involved the leakage of sensitive information from the DNA Relatives profiles of 5.5 million customers and Family Tree profiles of 1.4 million participants. The company later revealed that hackers had access to its systems from April to September 2023, using a technique known as credential stuffing.
This method involves leveraging previously compromised login credentials to access customer accounts, highlighting security vulnerabilities within the company’s infrastructure.
Multiple lawsuits were filed against 23andMe in response to the breach, with one case alleging that certain customers of Chinese and Ashkenazi Jewish heritage were specifically targeted. However, in the settlement agreement, 23andMe firmly denied these claims, stating that it had not failed to protect user information as alleged. The company reiterated that it did not neglect its responsibility to secure personal data and disputed the accusations brought forward in the lawsuit.
The breach and subsequent legal challenges have surfaced at a time of financial uncertainty for 23andMe. In its 2024 fiscal report, the company disclosed that its total revenue had declined by 27%, dropping from $299 million to $220 million year-over-year. To cover the settlement cost, 23andMe plans to rely on its cyber insurance policy, which is expected to contribute $25 million toward the total $30 million settlement payout.
As the proposed settlement awaits court approval, 23andMe is taking steps to manage the aftermath of the data breach. The financial and reputational impacts of the incident are significant, and the company is focusing on improving its cybersecurity protocols while compensating affected users. However, the company’s ongoing financial challenges may continue to shape its recovery and future business strategies.