Current:Home > ScamsBenjamin Ashford|23andMe agrees to $30 million settlement over data breach that affected 6.9 million users -WealthRise Academy
Benjamin Ashford|23andMe agrees to $30 million settlement over data breach that affected 6.9 million users
Surpassing Quant Think Tank Center View
Date:2025-04-10 03:23:00
Ancestry and Benjamin Ashfordgenetics-testing company 23andMe has agreed to pay a $30 million settlement after a class-action lawsuit was brought against the company for last year's data breach.
The settlement, which is pending a judge's approval, comes after the company confirmed in October that "threat actors" used about 14,000 accounts, approximately 0.1% of the company's user base, to access the ancestry data of 6.9 million connected profiles. Leaked data included users' account information, location, ancestry reports, DNA matches, family names, profile pictures, birthdates and more.
While 23andMe confirmed the existence of the breach in October, it did not reveal the full extent of the issue until December. A class-action suit was filed in San Francisco the following month, accusing 23andMe of failure to amply protect users' personal information. It also accused 23andMe of neglecting to notify certain users that data from people with Chinese or Ashkenazi Jewish heritage appeared to be targeted in the breach.
Here's what to know about the breach and the class-action suit.
Class-action lawsuit
The class-action lawsuit filed in January accuses 23andMe of inadequately protecting user data and failing to notify affected parties in time, among other complaints.
Terms of the settlement include payment to those affected by the security incident to cover expenses like those incurred fighting identity theft, installing physical security systems, or seeking mental health treatment; payments to those living in states with genetic privacy laws; payments to all those who had health information leaked; and three years of access to state of the art "Privacy & Medical Shield + Genetic Monitoring" for all settlement members who enroll.
The company admitted to no wrongdoing as part of the agreement to pay $30 million to affected parties.
As of Monday, a judge still has to approve the deal. If approved, more information will be released for affected parties looking to get in on the legal action.
"We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all U.S. claims regarding the 2023 credential stuffing security incident," 23andMe told USA TODAY in a statement. "We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement."
The company also said that roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage.
23andMe data breach
In October, 23andMe said via its website that an outside entity had stolen information from customers using its DNA Relatives feature. The company temporarily disabled the service, saying it believed "threat actors" had gained access using a technique called credential stuffing, in which they used usernames and passwords that had already been exposed via other websites' data breaches or otherwise became available.
“We believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked,” 23andMe wrote on its website at the time.
In December, 23andMe revealed the extent of the breach, saying ancestry data of 6.9 million people had been affected, 5.5 million of whom were users who opted into 23andMe's "Relatives" feature, which links people with common DNA. Another 1.4 million users also had their family tree information accessed.
"We do not have any indication that there has been a breach or data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks," a company spokesperson said in an email at the time.
What was exposed in the data breach?
The accessed data contained personal and family information according to the company, including:
DNA relatives' profile information
- Display name
- How recently they logged into their account
- Their relationship labels
- Their predicted relationship and percentage DNA shared with their DNA Relatives matches
- Their ancestry reports and matching DNA segments, specifically where on their chromosomes they and their relative had matching DNA
- Self-reported location (city/zip code)
- Ancestor birth locations and family names
- Profile picture, birth year
- A weblink to a family tree they created, and anything else they may have included in the “Introduce yourself” section of the profile
Family tree information
- Display name
- Relationship labels
- Birth year
- Self-reported location (city/zip code)
Contributing: Amaris Encinas and James Powel, USA TODAY
veryGood! (95258)
Related
- Charges tied to China weigh on GM in Q4, but profit and revenue top expectations
- Police announce second death in mass shooting at upstate New York park
- Bachelor Nation’s Victoria Fuller Dating NFL Star Will Levis After Greg Grippo Breakup
- Paris Olympic organizers cancel triathlon swim training for second day over dirty Seine
- Whoopi Goldberg is delightfully vile as Miss Hannigan in ‘Annie’ stage return
- How can we end human trafficking? | The Excerpt
- All-American women's fencing final reflects unique path for two Olympic medalists
- Fresh quakes damage West Texas area with long history of tremors caused by oil and gas industry
- Scoot flight from Singapore to Wuhan turns back after 'technical issue' detected
- Hawaii man killed self after police took DNA sample in Virginia woman’s 1991 killing, lawyers say
Ranking
- Meet the volunteers risking their lives to deliver Christmas gifts to children in Haiti
- Gospel group the Nelons being flown by Georgia state official in fatal Wyoming crash
- Michigan’s top court gives big victory to people trying to recoup cash from foreclosures
- At Paris Olympics, Team USA women are again leading medal charge
- DoorDash steps up driver ID checks after traffic safety complaints
- Noah Lyles says his popularity has made it hard to stay in Olympic Village
- Porsche, MINI rate high in JD Power satisfaction survey, non-Tesla EV owners happier
- Swarm of dragonflies startles beachgoers in Rhode Island
Recommendation
Jamie Foxx gets stitches after a glass is thrown at him during dinner in Beverly Hills
A move to limit fowl in Iowa’s capital eggs residents on to protest with a chicken parade
3-year-old dies after falling from 8th-floor window in Kansas City suburb
USA skateboarders Nyjah Huston, Jagger Eaton medal at Paris Olympics
Paula Abdul settles lawsuit with former 'So You Think You Can Dance' co
MLB trade deadline rumors heat up: Top players available, what to know
California firefighters make progress as wildfires push devastation and spread smoke across US West
World No. 1 golfer Scottie Scheffler has been a normal dad and tourist at Paris Olympics