Genetic testing firm 23andMe has agreed to compensate millions of customers affected by a data breach on the company’s platform, offering $30 million as part of a settlement, along with providing users with access to a security monitoring system.
Personal information was exposed last year after a hacker breached the website’s security and posted critical user data for sale on the dark web.
The data potentially encompassed users’ names, sex, date of birth, genetic information, predicted relationships with genetic matches, ancestry reports, ancestors’ birth locations and family names, family tree information, and geographic locations, according to the company.
According to the settlement proposal, users will be sent a link where they can delete all information related to or held by 23andMe.
“23andMe denies any wrongdoing whatsoever,” the company said, while adding that it is settling because it considers further litigation would be “protracted, burdensome and expensive,” according to the court filing. The settlement is subject to court approval.
“The threat actor used the compromised credential stuffed accounts to access the information included in a significant number of DNA Relatives profiles (approximately 5.5 million) and Family Tree feature profiles (approximately 1.4 million), each of which were connected to the compromised accounts,” the company said.
A type of hacking that falls under brute force techniques, credential stuffing uses stolen username and password pairs to gain access to website login forms. This method of hacking is effective when many people use the same username and passwords for different websites.
23andMe’s Financial Performance
23andMe’s reported revenue for the fourth quarter of fiscal 2024 was $64 million, which was 31 percent lower than 2023’s $92.4 million, according to a company press release.The company attributed this to the end of a collaboration with GSK, as well as fewer Personal Genome Service kit and telehealth orders. It reported that its 2024 revenues were $219.6 million, nearly $80 million less than the $299.5 million it collected in 2023.
The company’s shares have fallen in value by more than 63 percent since the beginning of the year. Its peak performance was recorded in early 2021, when it was trading at over $16.
According to the press release, the company has been granted until Nov. 4 to regain compliance with the minimum bid price requirement for continued listing on The Nasdaq Capital Market, which is Nasdaq’s tier for companies with the smallest levels of market capitalization.
The company’s “extremely uncertain financial condition” was mentioned in the settlement proposal.
The company is under threat of facing exorbitant filing fees, it said, and it may be forced to “enter into different mass settlements with each counsel threatening mass arbitration claims.”
“Such settlements would benefit only a very limited number of the members of the Settlement Class, and the mass arbitration counsel who have orchestrated that strategy,” it said, indicating that some claimants may not receive any financial compensation.
In an emailed statement to The Epoch Times, 23andMe Communications Director Andy Kill said that out of the $30 million aggregate amount, “roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage.”
Besides company data and the personal information of individuals, hackers have increasingly targeted critical infrastructure in the United States. Multiple foreign players, including Russia and China, are behind these attacks on the nation’s resources, according to U.S. intelligence agencies.
