23andMe to pay $30 million to settle class action lawsuit over October data breach

U.S. biotechnology and genomics company 23andMe has agreed to a $30 million settlement in the U.S. over a data security incident that compromised the sensitive personal information of 6.4 million customers.

 

In October, 23andMe disclosed a data security incident after a threat actor listed it as a victim on its data leak site. They also published samples of data allegedly stolen from the company, including 1 million lines of information about Ashkenazi Jews. Ashkenazi Jews are those who believe they descended from Jews who lived in Central or Eastern Europe.

 

A company spokesperson added that the perpetrator accessed the data of at least 6.4 million people who opted-in to 23andMe’s DNA Relatives feature. The compromised data included display names, relationship labels, birth year, self-reported location and whether the user decided to share their information.

 

The Information Commissioner’s Office announced that it will investigate the data security incident along with the Office of the Privacy Commissioner of Canada (OPC).

 

Several lawsuits were filed against the company for failing to protect its users’ personal information and failing to timely inform its users that threat actors put up the stolen data for sale on the dark web.

 

Earlier this week, 23andMe agreed to pay $30 million to settle a class action lawsuit filed in the District Court of the Northern District of California. The settlement amount includes cash payments for affected  customers. Once the settlement is approved by federal court, the amount will be disbursed to affected individuals within ten days.

 

23andMe believes that the settlement is fair, adequate, and reasonable. As part of the agreement with affected customers, the genomics company has agreed to strengthen its security measures, including defending against credential-stuffing attacks, introducing mandatory two-factor authentication, and undergoing annual cybersecurity audits to avoid such incidents in the future.

 

The company has also agreed to maintain a data breach incident response plan and not store any personal data for inactive or deactivated accounts.