23andMe Agrees to $30 Million Settlement Following Major Genetics Data Breach

23andMe, the genetics testing company, has agreed to pay $30 million to settle a lawsuit related to a data breach that exposed the personal information of approximately 6.9 million customers in 2023. This breach began in April 2023 and lasted about five months, affecting nearly half of 23andMe’s customer database. The attack targeted specific user groups, including those of Chinese and Ashkenazi Jewish descent, with information being posted for sale on the dark web​(BleepingComputer)​(AOL.com).

As part of the settlement, 23andMe will provide affected customers with three years of security monitoring through a program called Privacy & Medical Shield + Genetic Monitoring. The company has also committed to enhancing its cybersecurity measures, including implementing protections against credential-stuffing attacks and enforcing mandatory two-factor authentication for all users. Additionally, 23andMe will establish a data breach incident response plan and halt the retention of personal data for inactive or deactivated accounts​(BleepingComputer).

This settlement follows multiple class-action lawsuits filed against the company, alleging that it failed to safeguard user data and did not adequately inform customers about the breach. Although 23andMe denies any wrongdoing, the company views the settlement as a fair resolution to the matter, with approximately $25 million of the cost expected to be covered by cyber insurance coverage​(AOL.com).