DNA testing large 23andMe has agreed to pay $30 million to settle a lawsuit over a data breach that uncovered the private info of 6.4 million clients in 2023.
The proposed class motion settlement, filed Thursday in a San Francisco federal courtroom and awaiting judicial approval, contains money funds for affected clients, which will likely be distributed inside ten days of ultimate approval.
“23andMe believes the settlement is truthful, enough, and cheap,” the corporate stated in a memorandum filed Friday.
23andMe has additionally agreed to strengthen its security protocols, together with protections towards credential-stuffing assaults, obligatory two-factor authentication for all customers, and annual cybersecurity audits.
The corporate should additionally create and keep a data breach incident response plan and cease retaining private knowledge for inactive or deactivated accounts. An up to date Info Safety Program may also be supplied to all workers throughout annual coaching periods.
“23andMe denies the claims and allegations set forth within the Criticism, denies that it didn’t correctly defend the Private Info of its shoppers and customers, and additional denies the viability of Settlement Class Representatives’ claims for statutory damages,” the corporate stated within the filed preliminary settlement.
“23andMe denies any wrongdoing by any means, and this Settlement shall in no occasion be construed or deemed to be proof of or an admission or concession on the a part of 23andMe with respect to any declare of any fault or legal responsibility or wrongdoing or harm by any means.”
This settlement addresses claims that the genetic testing firm didn’t safeguard customers’ privateness and uncared for to tell clients that hackers particularly focused them and their info was reportedly provided on the market on the darkish net.
Data stolen following credential-stuffing assault
In October 2023, 23andMe revealed that unauthorized entry to buyer profiles occurred by compromised accounts. Hackers exploited credentials stolen from different breaches to entry 23andMe accounts.
After discovering the breach, the corporate applied measures to dam related incidents, together with requiring clients to reset passwords and enabling two-factor authentication by default beginning in November.
Beginning in October, risk actors leaked knowledge profiles belonging to 4.1 million people in the UK and 1 million Ashkenazi Jews on the unofficial 23andMe subreddit and hacking boards like BreachForums.
23andMe instructed BleepingComputer in December that knowledge for six.9 million clients, together with info on 6.4 million U.S. residents, was downloaded within the breach.
In January, the corporate additionally confirmed that attackers stole well being studies and uncooked genotype knowledge over a five-month credential-stuffing assault from April to September.
The data breach led to a number of class-action lawsuits, prompting 23andMe to amend its Phrases of Use in November 2023, a transfer criticized by clients. The corporate later clarified that the modifications aimed to simplify the arbitration course of.
