Biotech firm 23andMe has agreed to pay tens of millions of dollars to the victims of a major data breach in 2023.
Over six million individuals’ information was accessed via the data breach, including a significant number of files containing info about users’ ancestry.
The firm has also agreed to bolster its security in the wake of the incident, including mandatory multi-factor authentication (MFA), protection against credential stuffing and annual audits.
However, the settlement is in no way an admission of any guilt.
“23andMe denies any wrongdoing whatsoever, and this agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of 23andMe with respect to any claim of any fault or liability or wrongdoing or damage whatsoever,” the company stated in the settlement agreement.
Read more on 23andMe: DNA Tester 23andMe Hit By Credential Stuffing Campaign
It was revealed that hackers originally gained access to a small number of user accounts via previously compromised credentials, because these accounts were not protected by MFA. They were subsequently able to scrape data from additional users who had registered with the DNA Relatives feature.
The firm’s lawyers have always argued vehemently that the fault was with negligent users, even though the majority of customers who were breached were caught up in the incident through no fault of their own – because they’d opted in to DNA Relatives.
They also argued that the compromised data couldn’t be used to cause “pecuniary harm” as it didn’t include users’ social security number, driver’s license number or any payment details.
In the end, data on an estimated 6.9 million customers, including 6.4 million US residents, was compromised in the attack.
In October 2023, threat actors claimed to be selling genetic profile data for millions of British and Ashkenazi Jewish people.
Image credit: Michael Vi / Shutterstock.com