In a significant response to a data breach that rocked millions of its users, genetic testing company 23andMe has agreed to a $30 million settlement. The breach, which occurred in 2023, exposed sensitive data from millions of customers, leading to concerns about the company’s security protocols and its ability to safeguard personal and genetic information.

Founded in 2006 by Anne Wojcicki, Linda Avey, and Paul Cusenza, 23andme mission is to make personal genetic information accessible to everyone.The company has revolutionized the way people trace their genealogy and understand their health through its easy-to-use saliva testing kits. Users simply provide a sample, which is then analyzed for genetic markers related to ancestry, health, and wellness.

One of the company’s key services is its DNA Relatives feature, which allows users to connect with genetic relatives based on shared DNA segments. Over the years, 23andMe has helped millions of users discover their family origins, connect with previously unknown relatives, and learn more about their health predispositions.

The 2023 Data Breach

In October 2023, 23andMe experienced a credential stuffing attack, a type of breach where attackers use previously stolen login credentials from unrelated websites to gain access to accounts. This incident compromised the personal data of 6.9 million users, many of whom had opted into the DNA Relatives feature. The breach affected 14,000 user accounts directly, exposing sensitive information such as health data, genetic profiles, and other personal details. Additionally, reports indicated that specific communities, including Jewish and Chinese users, may have been targeted, raising concerns about the motivations behind the attack.

While the company maintains that its core systems were not directly breached, the incident highlighted vulnerabilities in user account security, prompting criticism of 23andMe’s security measures. In the wake of the breach, users expressed concerns over how easily their personal data—especially sensitive genetic information—was accessed and misused.

Following the breach, a class-action lawsuit was filed on behalf of the affected users. The lawsuit alleged that 23andMe had failed to protect user data adequately, allowing hackers to compromise sensitive personal and genetic information. The case was consolidated into a multidistrict litigation in the U.S. District Court for the Northern District of California.

You can read more in an article at: https://www.eladelantado.com/us/23andme-settlement/.