(NEXSTAR) — 23andMe has proposed a $30 million settlement over a class-action lawsuit filed in response to a 2023 data breach.
23andMe, a genetic testing and biotech company, first announced in October 2023 that the site had been the victim of a “credential stuffing attack,” during which hackers were able to use login credentials — allegedly obtained via a previous hack of an unrelated website — to access its customers’ accounts.
In the months that followed, 23andMe confirmed that “threat actors” were able to access about 14,000 accounts, through which the data of 6.9 million users was compromised. Much of that data belonged to users who opted into the DNA Relatives feature, which allows users to share certain personal information with other users considered their genetic relatives.
A class-action lawsuit subsequently filed against 23andMe accused the site of failing to protect users, Reuters reported. The lawsuit also alleged that much of the stolen data belonged to Jewish and Chinese users, possibly in a targeted attack, according to the outlet.
In a statement obtained by NewsNation parent company Nexstar, 23andMe confirmed it had proposed the $30 million settlement agreement, though it had not been approved as of Monday.
“We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all U.S. claims regarding the 2023 credential stuffing security incident. Counsel for the plaintiffs have filed a motion for preliminary approval of this settlement agreement with the court,” a 23andMe spokesperson wrote in an emailed statement.
“Roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage,” the statement continued. “We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement.”
Reuters reported that 23andMe had also proposed to offer affected users three years of enrollment in an online security program in addition to the payments.
Court documents filed by 23andMe, and first cited by tech outlets including PCMag and CNET, also indicate that members of the class-action lawsuit may be eligible for payments of around $100 or possibly more, depending on the claims rate. Payments of up to $10,000 may also be made in cases of “extraordinary claims” in which victims provide evidence of losses of expenses incurred as a result of the breach, the documents say.
Users who were targeted by the breach cannot yet file a claim or apply for a payment until approval of 23andMe’s proposal. A representative for 23andMe did not say whether users would be notified of any method for filing a claim in the future.