23andMe disclosed a data breach last October and only confirmed the extent of its impact this past December. Customers using the DNA Relatives feature may have had their names, birth years, and ancestry information exposed due to the breach. The company attributed the incident to a tactic known as credential stuffing, which involves using recycled login credentials that had been exposed in previous security breaches.
The breach significantly affected the company, which was already facing challenges. Amidst a plummeting stock price, 23andMe CEO Anne Wojcicki made an attempt earlier this year to take the company private. However, this bid was rejected by a special committee last month. The settlement associated with the breach mentions concerns about the company’s financial health, stating, “Any litigated judgment significantly more than the Settlement is likely to be uncollectable.”
In a statement to The Verge, 23andMe spokesperson Katie Watson indicated that the company expects cyber insurance to cover $25 million of the $30 million settlement:
“We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all U.S. claims regarding the 2023 credential stuffing security incident. Counsel for the plaintiffs have filed a motion for preliminary approval of this settlement agreement with the court. Roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance. We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement.”
The proposed settlement still requires judicial approval.