DNA testing big 23andMe has agreed to pay $30 million to settle a lawsuit over an information breach that uncovered the private info of 6.4 million prospects in 2023.
The proposed class motion settlement, filed Thursday in a San Francisco federal courtroom and awaiting judicial approval, consists of money funds for affected prospects, which can be distributed inside ten days of ultimate approval.
“23andMe believes the settlement is truthful, satisfactory, and cheap,” the corporate stated in a memorandum filed Friday.
23andMe has additionally agreed to strengthen its safety protocols, together with protections in opposition to credential-stuffing assaults, obligatory two-factor authentication for all customers, and annual cybersecurity audits.
The corporate should additionally create and preserve an information breach incident response plan and cease retaining private information for inactive or deactivated accounts. An up to date Data Safety Program can even be supplied to all workers throughout annual coaching classes.
“23andMe denies the claims and allegations set forth within the Grievance, denies that it did not correctly defend the Private Data of its customers and customers, and additional denies the viability of Settlement Class Representatives’ claims for statutory damages,” the corporate stated within the filed preliminary settlement.
“23andMe denies any wrongdoing in anyway, and this Settlement shall in no occasion be construed or deemed to be proof of or an admission or concession on the a part of 23andMe with respect to any declare of any fault or legal responsibility or wrongdoing or injury in anyway.”
This settlement addresses claims that the genetic testing firm did not safeguard customers’ privateness and uncared for to tell prospects that hackers particularly focused them and their info was reportedly provided on the market on the darkish internet.
Information stolen following credential-stuffing assault
In October 2023, 23andMe revealed that unauthorized entry to buyer profiles occurred by means of compromised accounts. Hackers exploited credentials stolen from different breaches to entry 23andMe accounts.
After discovering the breach, the corporate applied measures to dam related incidents, together with requiring prospects to reset passwords and enabling two-factor authentication by default beginning in November.
Beginning in October, menace actors leaked information profiles belonging to 4.1 million people in the UK and 1 million Ashkenazi Jews on the unofficial 23andMe subreddit and hacking boards like BreachForums.
23andMe instructed BleepingComputer in December that information for six.9 million prospects, together with info on 6.4 million U.S. residents, was downloaded within the breach.
In January, the corporate additionally confirmed that attackers stole well being reviews and uncooked genotype information over a five-month credential-stuffing assault from April to September.
The information breach led to a number of class-action lawsuits, prompting 23andMe to amend its Phrases of Use in November 2023, a transfer criticized by prospects. The corporate later clarified that the adjustments aimed to simplify the arbitration course of.