US-based gene analysis start-up 23andMe has agreed to pay $30 million in damages to affected customers to settle a class-action lawsuit[1]. The settlement follows a massive data breach in 2023, in which criminals gained access to the data of over 6.9 million users[1].
Details of the incident
The hackers apparently specifically targeted the genetic information of Ashkenazi Jewish and Chinese users[1]. In addition to direct customer information, data of potential relatives linked to profiles via the "DNA Relatives" platform feature were also stolen[1].
Compensation and security measures
In addition to financial compensation, affected individuals are expected to receive access to a security monitoring program for three years[1]. The company can only afford the $30 million compensation sum because $25 million is expected to be covered by insurance[1].
Chronology and scope
23andMe initially announced the data leak in October 2023, with the full extent only becoming clear in December of the same year[1]. Initially, the company only spoke of possible access to some gene datasets and health data[1].
Hackers' method
The attackers not only used the "credential stuffing" method, where stolen login data is tried on various platforms[1]. They also stole and sold genetic information of victims' potential relatives[1].
International investigations
In addition to the class-action lawsuit in the US, authorities in the UK and Canada also plan to investigate the data leak[1]. The stolen data was offered in three different packages on the dark web, including specific collections of genetic information from Ashkenazi Jewish and Chinese users[1].
This incident highlights the growing security risks in the field of digital health data and raises questions about companies' responsibility in handling sensitive genetic information.
Source:
[1] 23andme: Hacked gene analysis start-up must pay 30 million in damages https://www.heise.de/news/23andme-Gehacktes-Genanalyse-Start-up-muss-30-Millionen-Schadensersatz-zahlen-9873350.html
