23andme Reaches $30 Million Settlement After Data Breach

Case Overview: A class action lawsuit against 23andMe, which alleged that the company failed to adequately protect user data, leading to a data breach that exposed the personal information of millions of customers, has been settled for $30 million.

Consumers Affected: 23andMe customers whose personal information was compromised in the data breach.

Court: U.S. District Court for the Northern District of California

Genetic testing company 23andMe has agreed to pay $30 million and provide three years of security monitoring services to settle a lawsuit over a data breach that exposed the personal information of 6.9 million customers. 

The preliminary settlement, filed in federal court in San Francisco, includes cash payments for affected customers and a program offering privacy and medical protection. The settlement still requires court approval, Reuters reports.

Data Breach Exposes Millions of 23andMe Customers to Identity Theft and Fraud

The breach occurred between April and September 2023, affecting almost half of 23andMe’s 14.1 million customers. Hackers accessed 5.5 million DNA Relatives profiles and data for another 1.4 million users who used the company’s Family Tree feature, TechCrunch reported. The compromised accounts were accessed through a method called credential stuffing, where hackers used previously stolen usernames and passwords from other websites to infiltrate 23andMe accounts.

While 23andMe claims its own systems weren’t breached directly, the stolen information included display names, predicted relationships, and DNA shared with relatives. Despite the breach, the company insists that sensitive data, such as ancestry reports, were not compromised.

Lawsuit Claims 23andMe Failed to Protect User Privacy

The lawsuit accused 23andMe of failing to protect the privacy of its customers. It further alleged that the hackers specifically targeted users of Chinese and Ashkenazi Jewish descent, compiling their data into "curated lists" that were sold on the dark web. The lawsuit also criticized 23andMe for not promptly notifying customers about the targeted nature of the breach.

The breach, which lasted for five months before being detected, led to personal information, including genetic data, being sold online, sparking concern among users and advocates, according to the lawsuit.

What Is 23andMe and What Data Was Compromised in the Breach?

23andMe is a popular genetic testing company that offers customers insights into their ancestry and health through DNA testing kits. It gained widespread attention after high-profile endorsements from celebrities like Oprah Winfrey and Lizzo. 

Founded by Anne Wojcicki, the company has also explored expanding its business into healthcare, hoping to develop drugs and offer medical services. However, 23andMe has struggled financially since going public in 2021, with its stock price falling and significant layoffs in recent years.

23andMe's Financial Struggles Deepen After Data Breach

23andMe’s financial struggles have deepened in the wake of the data breach. In the quarter ending June 30, the company reported a loss of $69.4 million on revenue of $40.4 million. 

Despite raising $1.4 billion in funding over the years, the company has burned through much of it and has yet to turn a profit. CEO Anne Wojcicki has been working to take the company private after its stock fell below $1 and faced the possibility of being delisted from the Nasdaq.

Companies Face Legal Action Over Data Breaches As Cybercrime Rises

23andMe is just one of many companies facing lawsuits due to data breaches. In recent years, companies like Toshiba, HealthEquity, and Coastal Orthopedics have faced similar legal battles after hackers gained access to sensitive personal information. As cybercrime rises, more companies are being held accountable for security lapses that expose customer data.

Case Details

• Lawsuit: In re 23andMe Inc Customer Data Security Breach Litigation
• Case Number: 24-md-03098
• Court: U.S. District Court for the Northern District of California

Have you used 23andMe or other genetic testing services? Are you concerned about the security of your personal and genetic data? Share your thoughts and experiences in the comments below.