23andMe To Pay $30 Million In Genetics Data Breach Settlement (bleepingcomputer.com) 36
23andMe has agreed to pay $30 million to settle a lawsuit over a data breach that exposed the personal information of 6.4 million customers in 2023. BleepingComputer reports: The proposed class action settlement (PDF), filed Thursday in a San Francisco federal court and awaiting judicial approval, includes cash payments for affected customers, which will be distributed within ten days of final approval. "23andMe believes the settlement is fair, adequate, and reasonable," the company said in a memorandum filed (PDF) Friday.
23andMe has also agreed to strengthen its security protocols, including protections against credential-stuffing attacks, mandatory two-factor authentication for all users, and annual cybersecurity audits. The company must also create and maintain a data breach incident response plan and stop retaining personal data for inactive or deactivated accounts. An updated Information Security Program will also be provided to all employees during annual training sessions. "23andMe denies the claims and allegations set forth in the Complaint, denies that it failed to properly protect the Personal Information of its consumers and users, and further denies the viability of Settlement Class Representatives' claims for statutory damages," the company said in the filed preliminary settlement.
"23andMe denies any wrongdoing whatsoever, and this Agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of 23andMe with respect to any claim of any fault or liability or wrongdoing or damage whatsoever."
23andMe has also agreed to strengthen its security protocols, including protections against credential-stuffing attacks, mandatory two-factor authentication for all users, and annual cybersecurity audits. The company must also create and maintain a data breach incident response plan and stop retaining personal data for inactive or deactivated accounts. An updated Information Security Program will also be provided to all employees during annual training sessions. "23andMe denies the claims and allegations set forth in the Complaint, denies that it failed to properly protect the Personal Information of its consumers and users, and further denies the viability of Settlement Class Representatives' claims for statutory damages," the company said in the filed preliminary settlement.
"23andMe denies any wrongdoing whatsoever, and this Agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of 23andMe with respect to any claim of any fault or liability or wrongdoing or damage whatsoever."
Admit no wrongdoing? (Score:4, Interesting)
I don't understand statements like these from companies forced to pay a settlement. Of course you're guilty, and you know it, or you would not have settled in the first place. Corporations are out of touch with reality. They just look stupid stating things like this.
Re: (Score:1)
Of course you're guilty, and you know it, or you would not have settled in the first place.
This is a civil suit. "Guilt" isn't even relevant, and demonstrating guilt is not necessary for the defendants to prevail.
The two sides sat down and hashed out a business deal close to what they believed a trial outcome would've been but avoided the uncertainty and legal costs. That's it.
It's about money, not "guilt".
Re: (Score:2)
That, and also if it went to court, the management and who knows else gets tied up in endless depositions (that the company ends up paying for) and the lawyers request copies of every written and digital record going back forever.
Re: (Score:3)
It is possible to cause harm without first doing something "wrong." I'm not saying that is the case here, just that settling a lawsuit doesn't always imply that the company feels they did something wrong, only that they know that they caused harm, and they'd rather settle than risk even bigger penalties if they lose the lawsuit in court. From their perspective, better to pay a known "small" amount now, than an unknown *larger* amount later.
Re: (Score:2)
Or you can be completely innocent and settle. It can be cheaper to s
Re: (Score:3)
I don't understand statements like these from companies forced to pay a settlement. Of course you're guilty, and you know it, or you would not have settled in the first place. Corporations are out of touch with reality. They just look stupid stating things like this.
I fully agree. But they look stupid anyway, which perhaps is the point of that statement. They left their car door unlocked, and someone broke in. Wrongdoing is defined as wicked or evil behavior. So when they’re allowed to say that, I think it has more to do with malicious intent. Leaving your car door unlocked is more stupid than evil.
The real crime, was not enforcing military contractor grade or better security regulations on them from day ONE. Who even starts a DNA gathering service without 2
Re: (Score:2)
I don't understand statements like these from companies forced to pay a settlement. Of course you're guilty, and you know it, or you would not have settled in the first place. Corporations are out of touch with reality. They just look stupid stating things like this.
To be fair ... it means "we deny guilt, but think this is cheaper than quite possibly (unfairly) losing."
For all I know they are guilty as sin, but let's get real, these kinds of settlements are not admissions of guilt.
so $2/user? (Score:5, Insightful)
$30 million for 6.4million users.
No mention of what the attorney's fees are in the document that I saw, but somehow that always seems to be about 1/2 of the settlement on these sorts of things... so $15m for 6.4m people, or $2.34 per person.
Then there's mailing all of the folks to let them know about it, then again to mail the checks out... it might not even make it to $2 per person for this
Re: (Score:2)
useless penalty (Score:5, Insightful)
they charge $99/year... are paying out roughly $4.68 per impacted user...
I'm sorry- but "23andMe believes the settlement is fair, adequate, and reasonable" screams they think they got a sweetheart deal out of this. Think the law firm representing the affected users needs to be reviewed. Although... looking at their financials (23 and me), maybe the lawyers thought the business might be bankrupt if it went any longer.
Mandatory two-factor authentication (Score:2)
Thereby needlessly punishing all the customers who use strong passwords.
I hate every form of two-factor authentication, but especially the most common kind used by stupid websites: sending you a one-time password.
I would seriously consider dumping any service that starting requiring this.
They share your DNA with the cops (Score:5, Insightful)
What I'm saying is don't use these services. If you want to have your genome sequenced go see a doctor.
Unless you're a white supremacist of course. In which case it's fucking hilarious when they find out they're like 20% or 30% black. And don't anyone tell them where the human race originated...
Re:They share your DNA with the cops (Score:5, Insightful)
I like how you rambled on about nonsense (honestly: if my DNA helps the cops to figure out my cousin is actually a mass murderer? FINE.) finally ending up on White supremacists and racism durr.
Jesus. Touch grass once in a while brother.
You're only thinking about best case (Score:1)
Cops are graded and scored just like every other job on this planet, and just like any other worker they're gonna do whatever it takes to meet those stats.
Re: (Score:3)
"it's just as likely the cops will arrest *you* for your cousin's mass murder and then try to pin it on you so they can close the case. "
Say "I'm completely irrational" without actually using those words.
Yes, OF COURSE we'll use a highly specific DNA sequencing letting us - on just the preliminary sweep - to identify the suspect (or more likely, exonerate wrongly-accused people) but then we'll just say "WTF, just convict THAT guy, it's close enough, let's get a donut!"
Sure, that's exactly how it happens, I
Re:They share your DNA with the cops (Score:4, Insightful)
Unless you're a white supremacist of course. In which case it's fucking hilarious when they find out they're like 20% or 30% black.
It seems to be black supremacists who get more upset about this stuff these days.
They get awfully upset if, say, you point out that Obama is only half black ...
Re: They share your DNA with the cops (Score:1)
We have a large number of Jamaicans, other Hispanics and African Americans in my area besides a white population, even funnier to hear who considers themselves or the other black, white, hispanic and none of the above.
I'm not scared of black supremists (Score:1)
What, you didn't figure out that talk of eating cats & dogs was blood libel? Frankly neither did I, someone pointed it out to me. That's why it's a dog whistle.
Zero trust (Score:5, Informative)
I have zero trust that a company like 23andme will hold my information securely.
The only way I would give up my DNA information to a company is if they didn't hold it at all.
But if a company like 23andme told me they weren't holding it, I wouldn't trust that either. They'd have to go to pretty extreme lengths to get that kind of trust. Some boilerplate "Your privacy is very important to us" screen doesn't cut it, and if anything decreases my trust.
Re: (Score:2)
The only way I would give up my DNA information to a company is if they didn't hold it at all.
Even then, there's no way in hell I'd trust that they were telling the truth about them not keeping it. They have nothing to lose by lying and everything to gain.
Re: (Score:2)
You shouldn't trust *any* company to hold *any* of your data securely. It's all at risk. All of it, everywhere.
Re: (Score:3)
The company I worked for had its accounting system breached. My doctor had his medical systems breached. I'm pretty sure my bank had a breach.
Fuck it. You buckle up and take the ride, hope it doesn't affect you and try not to think about what you can't control.
But if I'm ever on a jury for someone who committed cybercrime, I'm voting for capital punishment even though we don't have that here.
I'm so hairy (Score:3)
I use 24andMe
Oblig (Score:5, Funny)
"All clients of 23andMe are strongly advised to change their genome to prevent any future attacks using this data."
Leaky BY DESIGN (Score:5, Interesting)
That they ask for your name at all is an outrage — and the reason, I still haven't used one of these services. There is absolutely no reason, why these services cannot be provided anonymously: you buy their kit and then send it to them retaining a number (you can call it "cookie", that's Ok).
With that cookie you can look up your results on the company's web-site. They don't need to know your name and address at all...
A truly paranoid would buy using cash in a store two states away from their own — and then use Tor to download the results. Maybe. But even simply retaining anonymity is enough for most cases...
Re: (Score:2)
They can triangulate you based on relatives who give their ID.
Send it to Germany if you care abiut privacy. For now that's safer but be aware that laws can be revoked.
The odds of you having a genetic disease are low so eat right and exercise while you consider your options.
Re: (Score:2)
Yes, I know, they can. But I was not talking about subpoena-proof privacy — just protecting against the accidental data-leaks like this one...
They shouldn't be asking for IDs to begin with — heck, they shouldn't even be asking for names!
What, they aren't asking for the customers' names in Germany?
Justice (Score:3)
Lawyers: $25 million
Customer that was actually wronged: 25 cents
10% of one year? (Score:5, Insightful)
Re: (Score:2)
We all know that the data was stolen by intelligence agencies or bioweapons manufacturers and they'll be reimbursed in some plausibly-deniable way.
Notice that the Theranos op/scam to steal everybody's sequence data was allowed to collapse as soon as it was discovered that people would actually pay to give away their sequence data.
Is that "mandatory 2FA" real 2FA? (Score:2)
Is that "mandatory 2FA" at least an authenticator app or a Yubikey? Or is it the pseudo-2FA done with text messages?
Laughable and pathetic (Score:2)
That is $5 per person affected, i.e. much less than they paid. And nobody goes to prison. Seems to me there is no actual interest in protecting personal data.