23andMe Proposes $30 Million Payment for Data Breach

23andMe proposes to compensate millions of customers affected by a data breach on the company’s platform, offering $30 million as part of the settlement, along with providing users access to a security monitoring system.
The data could include names, sex, date of birth, genetic information, predicted relationships with genetic matches, ancestry reports, ancestors’ birth locations and family names, family tree information, and geographic locations, according to the company.
According to the settlement proposal, users will be sent a link where they can delete all information related to 23andMe.
“23andMe denies any wrongdoing whatsoever,” but the company said it is settling because it considers further litigation to be “protracted, burdensome and expensive,” according to the court document. The settlement is subject to court approval.
“The threat actor used the compromised credential stuffed accounts to access the information included in a significant number of DNA Relatives profiles (approximately 5.5 million) and Family Tree feature profiles (approximately 1.4 million), each of which were connected to the compromised accounts,” the company said.
A type of hacking that falls under brute force techniques, credential stuffing uses stolen username and password pairs to gain access to website login forms. This method of hacking is effective when many people use the same username and passwords for different websites.
23andMe attributed this to the end of a collaboration with GSK and “lower PGS kit volumes and telehealth orders. Full year 2024 revenues were $219.6 million compared to $299.5 million for full year 2023.”
The company share price is trading at $0.34, as of 11:21 AM, EDT on Sept. 16. The value of 23andMe has fallen over 63 percent since the beginning of the year. The company’s peak performance was recorded in early 2021 when the stock was trading at over $16.
According to the press release, the company has been granted until Nov. 4 to regain compliance with the minimum bid price requirement for continued listing on The Nasdaq Capital Market.
The company’s “extremely uncertain financial condition” was mentioned in the settlement proposal.
The mass arbitration claims threaten to impose exorbitant filing fees on 23andMe, the company said, and it may be forced to “enter into different mass settlements with each counsel threatening mass arbitration claims.”
“Such settlements would benefit only a very limited number of the members of the Settlement Class, and the mass arbitration counsel who have orchestrated that strategy,” indicating some claimants may not receive any financial compensation.
In an emailed statement to The Epoch Times, 23andMe Communications Director Andy Kill said that out of the $30 million aggregate amount, “roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage.”
Besides company data and the personal information of individuals, hackers have increasingly targeted critical infrastructure in the United States. Multiple foreign players, including Russia and China, are behind these attacks on the nation’s resources, according to U.S. intelligence agencies.