23andMe agrees to pay $30M to settle lawsuit over 2023 data breach

23andMe denies wrongdoing but agrees to pay up to settle class action over data breach

Genetic testing company 23andMe has agreed to pay $30 million to settle a class action lawsuit from customers impacted by a 2023 data breach when hackers accessed the personal data of millions of users on the platform.

The complaint accused 23andMe of failing to adequately protect users' information and failing to sufficiently notify users of the breach, as well as other claims. The company denied any wrongdoing as part of the settlement agreement.

23andMe logo

23andMe has agreed to pay $30 million to settle claims related to a breach of customers' data in 2023. (Photo Illustration by Pavlo Gonchar/SOPA Images/LightRocket via Getty Images / Getty Images)

"We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement," a spokesperson for 23andMe told FOX Business in a statement.

The settlement is still pending approval by a judge.

DICK'S SPORTING GOODS HIT BY CYBERATTACK

The spokesperson also noted that around $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage. 

Ticker Security Last Change Change %
ME 23ANDME HOLDING CO 3.15 -0.28 -8.16%

23andMe Holding Co.

The profile information of some 23andMe customers started appearing on the dark web in October 2023, with bad actors offering compilations of the information for a price. Names, birth years, genders, ancestry and certain other non-DNA profile information were reportedly among the details that were published.

TOYOTA HAS A DATA DILEMMA AFTER HACKERS LEAK 240GB OF CUSTOMER INFORMATION

The California-based company then confirmed in December of that year that hackers stole personal data from approximately 6.9 million users – or roughly half of its entire customer base. 

23andMe DNA Testing

A 23andMe in Mountain View, California, on Oct. 28, 2018. (Smith Collection/Gado/Getty Images / Getty Images)

Hackers were able to breach those accounts because the customers had used the same username and password on 23andMe as they had on other websites that had been previously compromised.

GET FOX BUSINESS ON THE GO BY CLICKING HERE

The cybersecurity industry commonly refers to that tactic as credential stuffing.

FOX Business' Aislinn Murphy and Bradford Betz contributed to this report.