23andMe Offers $30 Million Settlement for Data Breach

Genetic information and ancestry reports of U.S. citizens were among the information stolen in the cyberattack.
23andMe Offers $30 Million Settlement for Data Breach
The corporate logo is posted in front of the 23andMe headquarters in Sunnyvale, California, on Feb. 1, 2024. Justin Sullivan/Getty Images
Naveen Athrappully
Updated:
0:00

Genetic testing firm 23andMe has agreed to compensate millions of customers affected by a data breach on the company’s platform, offering $30 million as part of a settlement, along with providing users with access to a security monitoring system.

The company will pay the amount to approximately 6.4 million American users, according to a proposed class-action settlement filed on Sept. 12 in the U.S. District Court for the Northern District of California.

Personal information was exposed last year after a hacker breached the website’s security and posted critical user data for sale on the dark web.

The data potentially encompassed users’ names, sex, date of birth, genetic information, predicted relationships with genetic matches, ancestry reports, ancestors’ birth locations and family names, family tree information, and geographic locations, according to the company.

According to the settlement proposal, users will be sent a link where they can delete all information related to or held by 23andMe.

“23andMe denies any wrongdoing whatsoever,” the company said, while adding that it is settling because it considers further litigation would be “protracted, burdensome and expensive,” according to the court filing. The settlement is subject to court approval.

The company said in a memorandum filed on Sept. 13 that the proposed settlement is “fair, adequate, and reasonable.”
The hack was first reported by 23andMe on Oct. 6, 2023.

“The threat actor used the compromised credential stuffed accounts to access the information included in a significant number of DNA Relatives profiles (approximately 5.5 million) and Family Tree feature profiles (approximately 1.4 million), each of which were connected to the compromised accounts,” the company said.

A type of hacking that falls under brute force techniques, credential stuffing uses stolen username and password pairs to gain access to website login forms. This method of hacking is effective when many people use the same username and passwords for different websites.

Since the data breach, 23andMe has implemented two-step verification to add an extra layer of security.

23andMe’s Financial Performance

23andMe’s reported revenue for the fourth quarter of fiscal 2024 was $64 million, which was 31 percent lower than 2023’s $92.4 million, according to a company press release.

The company attributed this to the end of a collaboration with GSK, as well as fewer Personal Genome Service kit and telehealth orders. It reported that its 2024 revenues were $219.6 million, nearly $80 million less than the $299.5 million it collected in 2023.

The company’s shares have fallen in value by more than 63 percent since the beginning of the year. Its peak performance was recorded in early 2021, when it was trading at over $16.

According to the press release, the company has been granted until Nov. 4 to regain compliance with the minimum bid price requirement for continued listing on The Nasdaq Capital Market, which is Nasdaq’s tier for companies with the smallest levels of market capitalization.

The company’s “extremely uncertain financial condition” was mentioned in the settlement proposal.

The company is under threat of facing exorbitant filing fees, it said, and it may be forced to “enter into different mass settlements with each counsel threatening mass arbitration claims.”

“Such settlements would benefit only a very limited number of the members of the Settlement Class, and the mass arbitration counsel who have orchestrated that strategy,” it said, indicating that some claimants may not receive any financial compensation.

In an emailed statement to The Epoch Times, 23andMe Communications Director Andy Kill said that out of the $30 million aggregate amount, “roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage.”

Besides company data and the personal information of individuals, hackers have increasingly targeted critical infrastructure in the United States. Multiple foreign players, including Russia and China, are behind these attacks on the nation’s resources, according to U.S. intelligence agencies.

A joint cybersecurity advisory recently issued by multiple U.S. agencies found a clandestine Russian military unit responsible for cyberattacks against global targets.