23andMe pledges $30 million to the 6.4 million people affected by data breach

Genetic testing giant 23andMe will pay $30 million to more than six million people affected by a data breach that occurred in October 2023.

The company settled dozens of lawsuits that arose from an incident where a hacker used stolen usernames and passwords to login and view troves of account information, including health data. 

Through the platform’s DNA Relatives or Family Tree profile service, the hacker obtained additional information on relatives of the account owners they breached. They posted a portion of the data on the dark web, according to 23andMe.

At the time of the leak, a researcher downloaded two files from a BreachForums post and told Recorded Future News that one had information on one million 23andMe users of Ashkenazi heritage, and another file included data on more than 300,000 users of Chinese heritage.

In total, 23andMe said in the settlement that 6.4 people in the U.S. had information downloaded by the hacker. 

Dozens of lawsuits filed across the country were consolidated and a mediator’s proposal of $30 million was accepted in July. A company named Verita has been appointed the claims administrator and will manage the financial disbursements. 

The settlement allows 23andMe to deny “any wrongdoing whatsoever,” and it includes a clause that says it cannot “be construed or deemed to be evidence of or an admission or concession on the part of 23andMe with respect to any claim of any fault or liability or wrongdoing or damage whatsoever.”

The DNA Relatives and Family Tree features that were exploited by the hacker allows users to share information about themselves to see genetic relatives. Users have to actively choose to participate in the DNA Relatives feature, 23andMe has argued. 

“None of the information available to users of the features can be used to cause financial or pecuniary harm, or even impersonate a person based on ‘genetics’—it is only information indicating a potential relationship between users of the feature,” 23andMe said in another legal filing. 

Both Canada as well as the United Kingdom announced investigations into the theft in June 2024. 

The settlement includes other pledges about changes at the company, including increased better password protections, mandated multi-factor authentication, annual security awareness training for staff, annual computer scans and cyber audits. 

23andMe has to provide certification of the audits to the lawyers of the litigants for an undisclosed amount of time.