Genetic testing company 23andMe has agreed to terms that could resolve the class-action lawsuit it is currently facing following a major data breach.
In October 2023, it became known that a hacker had accessed 23andMe user accounts, and subsequent investigations confirmed that DNA relative profiles of approximately 5.5 million individuals had been accessed, as well as family tree profile information for approximately 1.4 million DNA relative participants.
The hackers began their massive data theft in April 2023 and were active until September of the same year.
The terms of the agreement
In January 2024, the company blamed its customers for the data breach, as since hackers used credential theft to access accounts, 23andMe claimed that users “negligently recycled and failed to update their passwords following previous security incidents unrelated to 23andMe.”
“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” it said at the time.
The victims have also filed a class action lawsuit, which the firm is now “close to settling,” and only needs the judge to approve the terms.
Under the terms of the settlement, which a judge still needs to approve, 23andMe will pay $30 million to affected customers and conduct annual computer scans and cybersecurity audits for the next three years. It will create a dedicated website to notify eligible people of the payment and offer everyone an easy way to delete all their files from the company's servers.
Finally, victims will receive a three-year Medical Privacy and Protection + Genetic Monitoring program free of charge.
It remains to be seen how the deal will affect the company’s business. Reuters reports that 23andMe described its financial situation as “extremely uncertain,” with revenue down by a quarter (from $299 million to $220 million) compared with the previous year.
Through Engadget
