In April 2023 [6] [7] [9], a data breach at 23andMe exposed the personal information of 6.9 million customers [7], leading to a class-action lawsuit and a $30 million settlement.
Description
In April 2023 [6] [7] [9], a data breach at 23andMe exposed the personal information of 6.9 million customers [7], affecting nearly half of the company’s 14.1 million users at the time [7]. Hackers accessed 5.5 million DNA Relatives profiles and information for 1.4 million customers who used the Family Tree feature [7]. Following the breach, a class-action lawsuit in San Francisco alleged that users of Chinese and Ashkenazi Jewish heritage were specifically targeted on the dark web [8]. As a result, 23andMe has agreed to pay $30 million in a settlement, with $5 million set aside for user compensation [8]. Those who experienced financial fraud as a result of the breach can claim up to $10,000, while others are entitled to $100 [8]. The majority of the settlement will cover attorney fees [8]. The settlement also includes three years of security monitoring for affected customers and enrollment in a privacy and genetic monitoring program to prevent future fraud and identity theft issues. The compromised data did not include sensitive information like social security numbers or payment details [4]. Threat actors later claimed to be selling genetic profile data for millions of British and Ashkenazi Jewish individuals [4]. An outside entity stole information from 23andMe customers using the DNA Relatives feature [11], leading to a temporary service disablement [11]. CEO Anne Wojcicki faces challenges in rebuilding trust with users and attracting new customers [10]. A website will be built to notify eligible individuals and facilitate payments [1], and affected users can delete their information and enroll in a free Privacy & Medical Shield + Genetic Monitoring program [1]. The breach, which occurred in 2023 [1] [6] [7] [9], led to several class action lawsuits [1] [5] [12], including one alleging failure to notify targeted individuals based on heritage. 23andMe denies the claims and allegations in the lawsuit [1]. The company’s financial condition is described as “extremely uncertain,” with a revenue decrease of 27% in 2024 [1]. Plaintiffs’ lawyers may seek legal fees of up to 25% of the settlement amount [6] [7]. The breach exposed the profile information of approximately 6.9 million users [5], with names [5], birth years [2] [5] [12], genders [5], ancestry [2] [4] [5] [6] [9] [11] [12], and other non-DNA profile information being published on the dark web [5]. Hackers were able to breach accounts due to customers using the same username and password on 23andMe as on other compromised websites [5]. The settlement [1] [2] [3] [4] [5] [6] [7] [8] [12], pending approval by a judge [5] [7], includes $25 million covered by cyber insurance to address related legal expenses. 23andMe blamed customers for the breach, stating that users failed to update passwords following past security incidents [3]. The company is close to settling the lawsuit [3], with terms including a $30 million payout to affected customers [3], annual computer scans and cybersecurity audits for three years [1] [3], and a Privacy & Medical Shield + Genetic Monitoring program for victims [1] [3]. The breach occurred due to a credential stuffing attack [2], resulting in the sale of information belonging to as many as seven million customers on criminal forums [2]. Cybercriminals stole profile information shared through the DNA Relatives feature [2], with some genetic and health data potentially accessed. 23andMe blamed victims for the breach and failed to inform customers with Chinese and Ashkenazi Jewish ancestry that they were specifically targeted [2]. A class action lawsuit was filed against 23andMe [2], alleging privacy protection failures [2], leading to the settlement [2]. The company’s market value has declined [2], and revenue has dropped [2], with cyberinsurance expected to cover a portion of the settlement [2]. The court has yet to approve the settlement [2], which includes a fund for affected customers and identity and genetic monitoring [2] [7]. Other countries are investigating the breach [2], with over 3 million people affected [2]. Data from the breach is being sold on the dark web in separate sets for general users [2], Ashkenazi-based users [2], and China-based users [2].
Conclusion
The data breach at 23andMe has had significant impacts, leading to a class-action lawsuit [1] [3], a $30 million settlement [2] [5] [8] [9] [12], and ongoing challenges for the company in rebuilding trust with users. Mitigations such as security monitoring and a privacy program have been put in place to prevent future incidents, but the breach highlights the importance of cybersecurity and data protection in the digital age.
References
[1] https://www.engadget.com/cybersecurity/23andme-will-pay-30-million-to-settle-2023-data-breach-lawsuit-150058702.html
[2] https://www.malwarebytes.com/blog/news/2024/09/23andme-to-pay-30-million-in-settlement-over-2023-data-breach
[3] https://www.techradar.com/pro/security/23andme-set-to-pay-millions-to-settle-data-breach-lawsuit
[4] https://www.infosecurity-magazine.com/news/23andme-30m-data-breach-settlement/
[5] https://www.foxbusiness.com/lifestyle/23andme-agrees-pay-30m-settle-lawsuit-over-2023-data-breach
[6] https://globalnews.ca/news/10754251/23andme-data-breach-lawsuit-settlement/
[7] https://www.theglobeandmail.com/business/article-23andme-settles-data-breach-lawsuit-for-30-million/
[8] https://mashable.com/article/23andme-breach-victims-benfit-from-multi-million-dollar-settlement
[9] https://www.entrepreneur.com/business-news/23andme-settles-for-30-million-after-massive-data-breach/479931
[10] https://tech.co/news/30-million-compensation-data-breach
[11] https://www.usatoday.com/story/money/2024/09/16/23andme-class-action-lawsuit-settlement/75250132007/
[12] https://www.theverge.com/2024/9/13/24243986/23andme-settlement-dna-data-breach-lawsuit