DNA testing large 23andMe has agreed to pay $30 million to settle a lawsuit over an information breach that uncovered the non-public data of 6.4 million clients in 2023.
The proposed class motion settlement, filed Thursday in a San Francisco federal court docket and awaiting judicial approval, consists of money funds for affected clients, which might be distributed inside ten days of ultimate approval.
“23andMe believes the settlement is honest, enough, and cheap,” the corporate mentioned in a memorandum filed Friday.
23andMe has additionally agreed to strengthen its safety protocols, together with protections towards credential-stuffing assaults, necessary two-factor authentication for all customers, and annual cybersecurity audits.
The corporate should additionally create and keep an information breach incident response plan and cease retaining private information for inactive or deactivated accounts. An up to date Info Safety Program will even be offered to all workers throughout annual coaching periods.
“23andMe denies the claims and allegations set forth within the Criticism, denies that it didn’t correctly defend the Private Info of its customers and customers, and additional denies the viability of Settlement Class Representatives’ claims for statutory damages,” the corporate mentioned within the filed preliminary settlement.
“23andMe denies any wrongdoing in any respect, and this Settlement shall in no occasion be construed or deemed to be proof of or an admission or concession on the a part of 23andMe with respect to any declare of any fault or legal responsibility or wrongdoing or injury in any respect.”
This settlement addresses claims that the genetic testing firm didn’t safeguard customers’ privateness and uncared for to tell clients that hackers particularly focused them and their data was reportedly provided on the market on the darkish internet.
Knowledge stolen following credential-stuffing assault
In October 2023, 23andMe revealed that unauthorized entry to buyer profiles occurred via compromised accounts. Hackers exploited credentials stolen from different breaches to entry 23andMe accounts.
After discovering the breach, the corporate applied measures to dam related incidents, together with requiring clients to reset passwords and enabling two-factor authentication by default beginning in November.
Beginning in October, menace actors leaked information profiles belonging to 4.1 million people in the UK and 1 million Ashkenazi Jews on the unofficial 23andMe subreddit and hacking boards like BreachForums.
23andMe instructed BleepingComputer in December that information for six.9 million clients, together with data on 6.4 million U.S. residents, was downloaded within the breach.
In January, the corporate additionally confirmed that attackers stole well being studies and uncooked genotype information over a five-month credential-stuffing assault from April to September.
The information breach led to a number of class-action lawsuits, prompting 23andMe to amend its Phrases of Use in November 2023, a transfer criticized by clients. The corporate later clarified that the adjustments aimed to simplify the arbitration course of.