23andMe will pay $30 million to settle a lawsuit tied to a data breach.
“We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all U.S. claims regarding the 2023 credential stuffing security incident,” the genetics testing company told PYMNTS Sunday (Sept. 15).
“Counsel for the plaintiffs have filed a motion for preliminary approval of this settlement agreement with the court. Roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage. We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement.”
A Reuters report on the settlement notes that the company has agreed to provide three years of security monitoring as a result of the class-action litigation, which accused 23andMe of failing to protect the private information of almost 7 million customers exposed in the breach last year.
The settlement also resolves allegations that 23andMe did not tell customers with Chinese and Ashkenazi Jewish ancestry that a hacker had apparently targeted them specifically, selling them on the dark web, Reuters added.
According to the report, 23andMe called the settlement fair and reasonable in its own court filing, but also cited its “extremely uncertain financial condition,” in asking the judge to pause arbitrations by tens of thousands of class members, until the settlement is approved or they decide not to participate.
The company revealed the breach in October of last year, about six months after it began. The incident affected almost half of the 14.1 million customers in 23andMe’s database at the time, Reuters said. A hacker accessed 5.5 million DNA Relatives profiles, which allow customers to share information with each other, along with information for another 1.4 million users of a feature called Family Tree.
As PYMNTS wrote last month, large businesses such as 23andMe “will continue to be attractive targets for cybercriminals,” as the “combination of valuable data, complex systems and the potential for significant ransom payments makes them particularly vulnerable.”
Speaking to PYMNTS for interviews for the “What’s Next in Payments” series, executives stressed the need for the multilayered security strategy known as defense in depth to reduce risks at various levels.
That’s because when an attacker gets access via stolen credentials, the potential for escalation is substantial, with minor disruption quickly spiraling into a full-scale disaster.
“You may not have realized it yet, but they’re going to hit you,” Amount Director of Product Management Garrett Laird told PYMNTS. “The fraudsters are jerks — and they like to hit you on holidays and on weekends, at 2 in the morning.”
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More