23andMe is close to settling a proposed class action lawsuit filed against the company over a data breach that compromised 6.9 million users’ information. According to the preliminary settlement filing, the DNA testing company has agreed to pay $30 million to affected customers, as well as to conduct annual computer scans and cybersecurity audits for three years. A website will be built to notify people eligible to a portion of the settlement fund and to facilitate payments, with users also able to delete all their information from the service and enroll in a three-year Privacy & Medical Shield + Genetic Monitoring program for free. In October 2023, the company admitted that the DNA Relatives profile information of roughly 5.5 million customers and the Family Tree profile information of 1.4 million DNA Relative participants had been leaked, revealing that hackers accessed customer accounts from April to September that year using a technique called credential stuffing. The breach led to several class action lawsuits, including one claiming that 23andMe failed to notify customers targeted for having Chinese and Ashkenazi Jewish heritage. The company notes in the settlement agreement for the consolidated lawsuit that it denies the claims and allegations. According to Reuters, 23andMe describes its financial condition as “extremely uncertain,” reporting a revenue decline in its 2024 fiscal year, with a significant portion of the settlement money expected to be covered by cyber insurance.
