The ancestry and genetic testing firm 23andMe has reached a $30 million settlement following a class-action lawsuit tied to a data breach that occurred last year.

This settlement is subject to judicial approval and follows the company’s admission in October that about 14,000 accounts—representing around 0.1% of its user base—were compromised. The breach exposed the ancestry information of 6.9 million profiles, with leaked details including account information, locations, ancestry reports, DNA matches, family names, profile pictures, and birthdates.

Although the company confirmed the breach in October, it didn’t disclose the full details until December. A class-action lawsuit was initiated in January in San Francisco, accusing 23andMe of inadequate measures to safeguard personal user data. It also claimed that 23andMe failed to promptly alert users whose data, particularly from those with Chinese or Ashkenazi Jewish heritage, was seemingly targeted in the breach.

Here are the essential details about the breach and the ensuing class-action lawsuit.

Class-action lawsuit

The class-action suit, initiated in January, maintains that 23andMe did not sufficiently protect user data and failed to notify those affected in a timely manner, among other allegations.

The settlement terms include compensations for those affected by the breach to address costs related to identity theft, installing security measures, or receiving mental health care; payments to residents in states with genetic privacy regulations; compensation for anyone whose health data was compromised; and three years of access to advanced “Privacy & Medical Shield + Genetic Monitoring” for all participants in the settlement who sign up.

As part of the agreement involving the $30 million payment, 23andMe did not admit to any wrongdoing.

A judge must still approve the settlement as of Monday. Once approved, additional information will be provided for affected individuals seeking participation in the legal action.

“We have finalized an agreement for a total cash payment of $30 million to resolve all U.S. claims related to the 2023 credential stuffing security incident,” said 23andMe in a statement to YSL News. “We believe this settlement serves the best interests of our customers and anticipate finalizing the agreement soon.”

The company also noted that around $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance.

Details of the 23andMe data breach

In October, 23andMe indicated on its website that an external entity had illegally accessed user information through its DNA Relatives feature. The company temporarily deactivated the service, suspecting that “threat actors” employed a method called credential stuffing, where previously compromised usernames and passwords from other breaches were used to access accounts.

“We believe that the attackers accessed certain accounts because users reused login details—essentially, the same usernames and passwords that were used on 23andMe.com were also used on other sites that had been hacked,” stated 23andMe on its website at that time.

By December, the company disclosed that the breach had impacted the ancestry data of 6.9 million individuals, with 5.5 million being users of the “Relatives” feature and another 1.4 million users having their family tree data accessed.

“We have no evidence that suggests a data breach occurred within our systems, nor that 23andMe was the source of the credentials used in these attacks,” a company representative commented via email during that time.

What information was compromised in the data breach?

The breached data included personal and family details, which the company listed as follows:

Data from DNA relatives’ profiles

• Display name
• Last login date
• Relationship labels
• Estimated relationship and percentage of shared DNA with relatives
• Ancestry reports and shared DNA segments, indicating where on chromosomes matches occurred
• Self-reported location (city/zip code)
• Birthplaces of ancestors and family names
• Profile picture and birth year
• Link to any family tree the user created, along with any information in the “Introduce Yourself” section of their profile

Family tree data

• Display name
• Relationship labels
• Birth year
• Self-reported location (city/zip code)

Contributors: Amaris Encinas and James Powel, YSL News