23andMe based in San Francisco has proposed an agreement to resolve a class action lawsuit that was submitted because of a breach of consumer information in 2023. The breach happened in October 2023 and the attacker stole the data of around 6.9 million people, about 50% of its consumers. There breach did not affect 23andMe’s network, but a threat actor performed a credential-stuffing attack that permitted access to some consumer accounts. About 14,000 personal accounts were breached, approximately 0.1% of its consumers.
When 23andMe discovered the breach, the blame was put on the poor security practices of customers. The accounts are only accessed since the impacted consumers had utilized similar username/password combinations that were used to protect accounts on unconnected platforms. Whenever those third-party platforms encountered data breaches and credentials were compromised, they could be taken to get access to any other account that used the credentials, which in this instance was 23andMe.
Data acquired from those accounts involved uninterrupted raw genotype information, health predisposition studies, and carrier-status research. The threat actor likewise accessed the DNA Relatives feature. With that feature, the threat actor viewed the profile data of about 5.5 million 23andMe users and the Family Tree data of another 1.4 million people. The threat actor then posted datasets for sale, which include consumers who have Jewish and Chinese descent.
23andMe is facing over 24 lawsuits because of the data breach. The plaintiffs’ lawyers stated that the datasets available for sale can be utilized as a hit list. Jews could be targeted. The intelligence agencies of the People’s Republic of China can use the Chinese dataset to target dissidents. Although access to the 14,000 accounts was intended to reuse the customers’ passwords, lawyers for the plaintiffs contended that 23andMe ought to have done more to secure users’ sensitive information.
They claimed that 23andMe ought to have known the likelihood of a cyberattack, should have done something to minimize the risk, and ought to have had appropriate data breach procedures set up and HIPAA training. Additionally, the company ought to have informed consumers of Jewish and Chinese descent that the datasets were exposed and that they could be attacked. The lawsuits additionally claimed that 23andme lied concerning data protection and did not use security as per industry requirements, then lied regarding the extent and seriousness of the breach.
In a court hearing, lawyers representing 23andMe revealed that a settlement was agreed in theory to end the litigation. The company is completing the specifics and expects to create an executive term sheet over the following week and will then write a complete settlement agreement of U.S. claims relating to the 2023 ‘credential stuffing’ security incident. This settlement is for the benefit of 23andMe consumers.
Lawyers representing the plaintiffs and class contended that as per the Illinois Genetic Information Privacy Act, a number of the class were owed as much as $3 billion in damages. In its yearly report, 23andMe shared that the company has approximately $216 million in funds, so any continuing legal action to acquire sizeable damages risked 23andMe submitting for bankruptcy. The conditions of the settlement were not yet revealed, however, the settlement will probably include payment for dark web tracking services and non-monetary aid. A court hearing is scheduled for July 30 with news on the term sheet and a motion for initial approval of the offered settlement is anticipated to be submitted in a few months.