Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security The Almighty Buck

23andMe To Pay $30 Million In Genetics Data Breach Settlement (bleepingcomputer.com) 36

23andMe has agreed to pay $30 million to settle a lawsuit over a data breach that exposed the personal information of 6.4 million customers in 2023. BleepingComputer reports: The proposed class action settlement (PDF), filed Thursday in a San Francisco federal court and awaiting judicial approval, includes cash payments for affected customers, which will be distributed within ten days of final approval. "23andMe believes the settlement is fair, adequate, and reasonable," the company said in a memorandum filed (PDF) Friday.

23andMe has also agreed to strengthen its security protocols, including protections against credential-stuffing attacks, mandatory two-factor authentication for all users, and annual cybersecurity audits. The company must also create and maintain a data breach incident response plan and stop retaining personal data for inactive or deactivated accounts. An updated Information Security Program will also be provided to all employees during annual training sessions.
"23andMe denies the claims and allegations set forth in the Complaint, denies that it failed to properly protect the Personal Information of its consumers and users, and further denies the viability of Settlement Class Representatives' claims for statutory damages," the company said in the filed preliminary settlement.

"23andMe denies any wrongdoing whatsoever, and this Agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of 23andMe with respect to any claim of any fault or liability or wrongdoing or damage whatsoever."
This discussion has been archived. No new comments can be posted.

23andMe To Pay $30 Million In Genetics Data Breach Settlement

Comments Filter:
  • Admit no wrongdoing? (Score:4, Interesting)

    by RitchCraft ( 6454710 ) on Friday September 13, 2024 @09:14PM (#64786769)

    I don't understand statements like these from companies forced to pay a settlement. Of course you're guilty, and you know it, or you would not have settled in the first place. Corporations are out of touch with reality. They just look stupid stating things like this.

    • Of course you're guilty, and you know it, or you would not have settled in the first place.

      This is a civil suit. "Guilt" isn't even relevant, and demonstrating guilt is not necessary for the defendants to prevail.

      The two sides sat down and hashed out a business deal close to what they believed a trial outcome would've been but avoided the uncertainty and legal costs. That's it.

      It's about money, not "guilt".

      • by clovis ( 4684 )

        That, and also if it went to court, the management and who knows else gets tied up in endless depositions (that the company ends up paying for) and the lawyers request copies of every written and digital record going back forever.

    • It is possible to cause harm without first doing something "wrong." I'm not saying that is the case here, just that settling a lawsuit doesn't always imply that the company feels they did something wrong, only that they know that they caused harm, and they'd rather settle than risk even bigger penalties if they lose the lawsuit in court. From their perspective, better to pay a known "small" amount now, than an unknown *larger* amount later.

      • by tlhIngan ( 30335 )

        It is possible to cause harm without first doing something "wrong." I'm not saying that is the case here, just that settling a lawsuit doesn't always imply that the company feels they did something wrong, only that they know that they caused harm, and they'd rather settle than risk even bigger penalties if they lose the lawsuit in court. From their perspective, better to pay a known "small" amount now, than an unknown *larger* amount later.

        Or you can be completely innocent and settle. It can be cheaper to s

    • I don't understand statements like these from companies forced to pay a settlement. Of course you're guilty, and you know it, or you would not have settled in the first place. Corporations are out of touch with reality. They just look stupid stating things like this.

      I fully agree. But they look stupid anyway, which perhaps is the point of that statement. They left their car door unlocked, and someone broke in. Wrongdoing is defined as wicked or evil behavior. So when they’re allowed to say that, I think it has more to do with malicious intent. Leaving your car door unlocked is more stupid than evil.

      The real crime, was not enforcing military contractor grade or better security regulations on them from day ONE. Who even starts a DNA gathering service without 2

    • I don't understand statements like these from companies forced to pay a settlement. Of course you're guilty, and you know it, or you would not have settled in the first place. Corporations are out of touch with reality. They just look stupid stating things like this.

      To be fair ... it means "we deny guilt, but think this is cheaper than quite possibly (unfairly) losing."

      For all I know they are guilty as sin, but let's get real, these kinds of settlements are not admissions of guilt.

  • so $2/user? (Score:5, Insightful)

    by oneiros27 ( 46144 ) on Friday September 13, 2024 @09:18PM (#64786779) Homepage

    $30 million for 6.4million users.

    No mention of what the attorney's fees are in the document that I saw, but somehow that always seems to be about 1/2 of the settlement on these sorts of things... so $15m for 6.4m people, or $2.34 per person.

    Then there's mailing all of the folks to let them know about it, then again to mail the checks out... it might not even make it to $2 per person for this

  • useless penalty (Score:5, Insightful)

    by Jayhawk0123 ( 8440955 ) on Friday September 13, 2024 @09:29PM (#64786795)

    they charge $99/year... are paying out roughly $4.68 per impacted user...

    I'm sorry- but "23andMe believes the settlement is fair, adequate, and reasonable" screams they think they got a sweetheart deal out of this. Think the law firm representing the affected users needs to be reviewed. Although... looking at their financials (23 and me), maybe the lawyers thought the business might be bankrupt if it went any longer.

  • Thereby needlessly punishing all the customers who use strong passwords.
    I hate every form of two-factor authentication, but especially the most common kind used by stupid websites: sending you a one-time password.
    I would seriously consider dumping any service that starting requiring this.

  • by rsilvergun ( 571051 ) on Friday September 13, 2024 @09:56PM (#64786841)
    And even if you've never done anything wrong if one of your distant relatives has there's a chance you could get a knock on the door from the cops. That could turn into major legal problems costing you tens of thousands of dollars to fight off or worse they could force you into a fake confession. It sounds like something out of bad TV but John Oliver has a good video on it and on police interrogation in general.

    What I'm saying is don't use these services. If you want to have your genome sequenced go see a doctor.

    Unless you're a white supremacist of course. In which case it's fucking hilarious when they find out they're like 20% or 30% black. And don't anyone tell them where the human race originated...
    • by argStyopa ( 232550 ) on Saturday September 14, 2024 @07:50AM (#64787237) Journal

      I like how you rambled on about nonsense (honestly: if my DNA helps the cops to figure out my cousin is actually a mass murderer? FINE.) finally ending up on White supremacists and racism durr.

      Jesus. Touch grass once in a while brother.

      • it's just as likely the cops will arrest *you* for your cousin's mass murder and then try to pin it on you so they can close the case.

        Cops are graded and scored just like every other job on this planet, and just like any other worker they're gonna do whatever it takes to meet those stats.
        • "it's just as likely the cops will arrest *you* for your cousin's mass murder and then try to pin it on you so they can close the case. "

          Say "I'm completely irrational" without actually using those words.

          Yes, OF COURSE we'll use a highly specific DNA sequencing letting us - on just the preliminary sweep - to identify the suspect (or more likely, exonerate wrongly-accused people) but then we'll just say "WTF, just convict THAT guy, it's close enough, let's get a donut!"
          Sure, that's exactly how it happens, I

    • by cascadingstylesheet ( 140919 ) on Saturday September 14, 2024 @08:10AM (#64787255) Journal

      Unless you're a white supremacist of course. In which case it's fucking hilarious when they find out they're like 20% or 30% black.

      It seems to be black supremacists who get more upset about this stuff these days.

      They get awfully upset if, say, you point out that Obama is only half black ...

      • We have a large number of Jamaicans, other Hispanics and African Americans in my area besides a white population, even funnier to hear who considers themselves or the other black, white, hispanic and none of the above.

      • because they don't have any power. White Supremacists do. One of 'em is running for President and has a 50/50 shot at winning.

        What, you didn't figure out that talk of eating cats & dogs was blood libel? Frankly neither did I, someone pointed it out to me. That's why it's a dog whistle.
  • Zero trust (Score:5, Informative)

    by sound+vision ( 884283 ) on Friday September 13, 2024 @10:04PM (#64786851) Journal

    I have zero trust that a company like 23andme will hold my information securely.

    The only way I would give up my DNA information to a company is if they didn't hold it at all.

    But if a company like 23andme told me they weren't holding it, I wouldn't trust that either. They'd have to go to pretty extreme lengths to get that kind of trust. Some boilerplate "Your privacy is very important to us" screen doesn't cut it, and if anything decreases my trust.

    • by Scutter ( 18425 )

      The only way I would give up my DNA information to a company is if they didn't hold it at all.

      Even then, there's no way in hell I'd trust that they were telling the truth about them not keeping it. They have nothing to lose by lying and everything to gain.

    • You shouldn't trust *any* company to hold *any* of your data securely. It's all at risk. All of it, everywhere.

      • The company I worked for had its accounting system breached. My doctor had his medical systems breached. I'm pretty sure my bank had a breach.

        Fuck it. You buckle up and take the ride, hope it doesn't affect you and try not to think about what you can't control.

        But if I'm ever on a jury for someone who committed cybercrime, I'm voting for capital punishment even though we don't have that here.

  • by 50000BTU_barbecue ( 588132 ) on Friday September 13, 2024 @10:24PM (#64786871) Journal

    I use 24andMe

  • Oblig (Score:5, Funny)

    by Barny ( 103770 ) on Friday September 13, 2024 @10:42PM (#64786893) Journal

    "All clients of 23andMe are strongly advised to change their genome to prevent any future attacks using this data."

  • Leaky BY DESIGN (Score:5, Interesting)

    by mi ( 197448 ) <slashdot-2017q4@virtual-estates.net> on Friday September 13, 2024 @11:12PM (#64786909) Homepage Journal

    denies that it failed to properly protect the Personal Information

    That they ask for your name at all is an outrage — and the reason, I still haven't used one of these services. There is absolutely no reason, why these services cannot be provided anonymously: you buy their kit and then send it to them retaining a number (you can call it "cookie", that's Ok).

    With that cookie you can look up your results on the company's web-site. They don't need to know your name and address at all...

    A truly paranoid would buy using cash in a store two states away from their own — and then use Tor to download the results. Maybe. But even simply retaining anonymity is enough for most cases...

    • They can triangulate you based on relatives who give their ID.

      Send it to Germany if you care abiut privacy. For now that's safer but be aware that laws can be revoked.

      The odds of you having a genetic disease are low so eat right and exercise while you consider your options.

      • by mi ( 197448 )

        They can triangulate you based on relatives.

        Yes, I know, they can. But I was not talking about subpoena-proof privacy — just protecting against the accidental data-leaks like this one...

        who give their ID

        They shouldn't be asking for IDs to begin with — heck, they shouldn't even be asking for names!

        Send it to Germany if you care abiut privacy.

        What, they aren't asking for the customers' names in Germany?

  • by backslashdot ( 95548 ) on Saturday September 14, 2024 @12:50AM (#64786975)

    Lawyers: $25 million
    Customer that was actually wronged: 25 cents

  • 10% of one year? (Score:5, Insightful)

    by Kelxin ( 3417093 ) on Saturday September 14, 2024 @02:38AM (#64787047)
    2023 they made almost $300 million. Another settlement, another slap on the wrist. At that price, it's just the cost of doing business. Until we wake up, we're going to continue being a casualty of American business tactics.
    • We all know that the data was stolen by intelligence agencies or bioweapons manufacturers and they'll be reimbursed in some plausibly-deniable way.

      Notice that the Theranos op/scam to steal everybody's sequence data was allowed to collapse as soon as it was discovered that people would actually pay to give away their sequence data.

  • Is that "mandatory 2FA" at least an authenticator app or a Yubikey? Or is it the pseudo-2FA done with text messages?

  • That is $5 per person affected, i.e. much less than they paid. And nobody goes to prison. Seems to me there is no actual interest in protecting personal data.

Wishing without work is like fishing without bait. -- Frank Tyger

Working...