23andme: Hacked gene analysis start-up must pay 30 million in damages
A class action lawsuit against 23andMe has ended in a settlement. Affected customers will be compensated with a total of 30 million dollars.
A test kit from 23andme.
(Image: nevodka/Shutterstock.com)
In 2023, the genetic analysis start-up 23andMe fell victim to a data breach – Criminals stole data records from millions of customers and their potential relatives. To settle a class action lawsuit, the company is now paying a total of 30 million US dollars in damages to the affected customers. According to the US online medium The Verge, the attackers apparently targeted the data of Ashkenazi Jewish and Chinese users in particular. Over 6.9 million users were affected.
In addition to their share of the compensation, the victims are expected to receive access to a security monitoring program for three years. 23andMe announced the data leak in October 2023, and the full extent became known in December of the same year.
Initially, the start-up only announced that attackers may have accessed some genetic records and other health data. However, it appears that not only users whose access data had already been captured by attackers elsewhere were affected. So it wasn't just accounts that were taken over using a tactic called credential stuffing – where captured login data is tried out on all possible platforms. Genetic information of possible relatives of the victims was also captured and sold, which had previously been found using the "DNA Relatives" platform function and then linked to the profiles.
Videos by heise
Class action ends in settlement
In January, the affected customers filed a class action lawsuit in a San Francisco-based court, which has now ended in a settlement. According to Malwarebytes, the amount of 30 million dollars was agreed, presumably because the company would not have been able to pay anymore. It was only able to pay the 30 million dollars because it is expected that 25 million will be covered by insurance.
The data leak is also being investigated in the UK and Canada. According to Malwarebytes, the stolen data was offered on the Darknet in three different bundles: one with the data of all victims, one with genetic information of Ashkenazi Jewish users and one with genetic data of Chinese users.
(kst)
