23andMe disclosed a data breach last October but only confirmed the overall impact in December. The breach potentially exposed information such as names, birth years, and ancestry details of customers using the DNA Relatives feature. The company attributed the breach to credential stuffing, a method where attackers use recycled login credentials from previous security breaches to access accounts.
The incident significantly impacted the already struggling company. As 23andMe’s stock price continued to decline, CEO Anne Wojcicki attempted to take the company private earlier this year. However, the special committee rejected this offer last month. The settlement mentioned financial concerns, stating, “Any litigated judgment significantly more than the Settlement is likely to be uncollectable.” Katie Watson, a spokesperson for 23andMe, informed The Verge that the company expects cyber insurance to cover $25 million of the settlement.
"We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all U.S. claims regarding the 2023 credential stuffing security incident. Counsel for the plaintiffs have filed a motion for preliminary approval of this settlement agreement with the court. Roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage. We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement," Watson stated.
The proposed settlement still requires approval from the judge.