Cybercrime , Fraud Management & Cybercrime , Healthcare
23andMe to Pay $30M for Credential Stuffing Hack Settlement
Millions of Customers Will Also Be Offered Monitoring of Genetic Data on Dark WebUnder a proposed $30 million settlement of about 40 consolidated class action lawsuits, genetics testing firm 23andMe will make cash payments to millions of individuals whose sensitive information was compromised in a 2023 credential stuffing incident.
See Also: How Overreliance on EDR is Failing Healthcare Providers
Affected customers also will be offered three years of free monitoring services that not only include identity and credit monitoring but also scans of the dark web for exposure of their genetic data.
The proposed settlement was filed in a northern California federal court on Sept. 12 and is slated for a preliminary hearing on Oct. 17.
23andMe in a statement to Information Security Media Groups said the company expects that roughly $25 million of the settlement and related legal expenses will be covered by its cyber insurance policy.
"We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement."
The company declined ISMG's request for further details, including the amount of cash that will be potentially offered to class members. "We cannot comment on this, especially as the settlement has not been formally approved," the statement says.
23andMe said that in early October 2023, the company learned that a threat actor accessed "a select number" of individual 23andMe.com accounts through credential stuffing. The hacker was able to access about 14,000 user accounts, less than 1% of the company's existing 14 million 23andMe customers, 23andMe said (see: 23andMe Investigating Apparent Credential Stuffing Hack).
"The threat actor used the compromised credential stuffed accounts to access the information included in a significant number of DNA Relatives profiles - approximately 5.5 million - and Family Tree feature profiles - approximately 1.4 million, each of which were connected to the compromised accounts.
Threat actors last year claimed on the dark web to have stolen "20 million pieces of code" from 23andMe. According to media reports, the leaked data that was put up for sale pertained to 23andMe users with certain DNA ancestry backgrounds, including 1 million lines of code about people with Ashkenazi Jewish DNA ancestry (see: 23andMe Says Hackers Stole Ancestry Data of 6.9M Users).
Under the proposed settlement, class settlement members will be offered three years of complimentary "Privacy & Medical Shield + Genetic Monitoring" from CyEx, an independent operating company that is part of Pango Holdings.
In a court document filed with the proposed settlement, a CyEx executive said the Privacy & Medical Shield + Genetic Monitoring service "was designed and built by CyEx specifically for the 23andMe class members and includes multiple features that have never been provided to data breach or security incident victims."
The list of monitoring services includes dark web monitoring for 17 "unique data categories of Settlement Class Members' sensitive data that may be exposed, listed for sale or trade on the dark web."
That includes "specially designed monitoring capacity to scan the dark web for any genetic-related data specific to settlement class members that may be for sale or trade.
"If genetic-related data is located, CyEx will alert the settlement class member who may contact customer support to speak with a remediation specialist about identifying potential mitigation efforts," the court document says.
The dozens of putative proposed class action lawsuits filed against 23andMe alleged among other claims that the company failed to properly protect personal information in accordance with its responsibilities, had inadequate data security protocols and violated various state genetic information privacy statutes and other state consumer statutes.
As part of the settlement agreement, 23andMe is required to implement a long list of security improvements that will not be paid from the settlement fund.
The list includes implementing enhanced password protection, mandating multifactor authentication, conducting annual cybersecurity scans and audits, creating a comprehensive data security program, and enforcing a data retention policy to avoid maintaining information of inactive or deactivated customers beyond an appropriate period of time.