DNA testing company, 23andMe, has agreed to settle a lawsuit after a huge data breach.
The class action lawsuits were filed by customers in January after discovering that their ultrasensitive genetic information had been stolen by hackers.
The company initially out-and-out denied that it had been breached but then data was found being sold for between $1 and $10 per account on BreachForum.
Settlement Offers Cash and Security Monitoring
The beleaguered company has now agreed to pay $30 million to settle lawsuit but has also signed up to providing customers with “access to a security monitoring program for three years”, reports The Verge.
This just in! View
the top business tech deals for 2024 👨💻
The judge needs to approve the proposed settlement, which will be another huge blow to the company. In January, the Wall Street Journal reported that its valuation had crashed 98% from its peak.
How Did 23andMe Data Get Stolen?
The company admitted that hackers had stolen data for 6.9 million users in October. A spokesperson from the company explained: “We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts. We believe that the threat actor may have then, in violation of our terms of service, accessed 23andMe.com accounts without authorization and obtained information from those accounts.”
Specific Genetic Groups Targeted
However, details were scant until December and this has caused frustration among users, especially when it came to light that certain groups of people had been targeted.
When it came to selling the data, the hackers specifically shared the data of Ashkenazi Jews and users with Chinese heritage. Plaintiffs argue that they should have been told that they had been singled out.
What Next for 23andMe?
After a failed bid to take the company private earlier on this year, CEO Anne Wojcicki is now facing an uphill battle to keep the company functioning. A spokesperson told The Verge that $25 million of the settlement will be covered by its cyber insurance policy.
What this won’t help with though is the loss of trust with users; and the potential that new customers will be scared off, especially when it is the most personal of data that they would be sharing.