23andMe’s $30 million data breach settlement

If the recent 23andMe data breach affected you, you may qualify for compensation as part of a $30 million settlement. Here is an overview of the payouts and how to submit a claim.

In October 2023, 23andMe disclosed that approximately 14,000 customer accounts had been accessed without authorization. The attackers used a method called “credential stuffing,” relying on login credentials stolen from other platforms to infiltrate 23andMe accounts.

The hacker attack left the personal information of millions of clients exposed. Names, birth years, parentage information, and data shared through the “DNA Relatives” feature were left open to the public and malicious actions. The company insisted that its systems were not directly compromised, but that meant nothing to the customers who had entrusted the company with such sensitive and private information.

Compensation to affected customers

The settlement outlines three categories of compensation with a maximum individual payout of up to $10,000 for certain claims:

• Extraordinary requirements: Customers who have suffered major losses, such as identity theft or the cost of security measures, can apply for compensation of up to $10,000. To qualify, you must provide documentation such as receipts or records of related expenses. This category has an aggregate cap of $5 million, meaning payouts may be reduced if aggregate claims exceed this limit.
• Health information claims: Customers whose sensitive health data was exposed during the breach are eligible for a payout of approximately $100. This category applies to health-related information that was compromised and has an aggregate limit of $750,000 for all claimants.
• Statutory cash requirements: Residents of California, Illinois, Oregon and Alaska who received breach notices can claim a general damages amount, expected to be around $100. Applicants must verify their residence in one of these states.

Final payout amounts may vary depending on the volume of claims submitted and the total funds available in the settlement. If the demand is high, the compensation is distributed proportionally.

How to file a claim

Once the official 23andMe settlement website is launched, you will be able to file your claim there. The site will provide both an online claim form and a downloadable PDF version for those who prefer to submit their claims by mail.

If you are filing a claim, be sure to include any necessary supporting documents, such as receipts or records of expenses. When your form is completed, you can send it by mail to:

23andMe Billing Manager
PO Box 301172
Los Angeles, CA 90030-1172

Be sure to submit your claim before the deadline. Although the exact date has not been announced yet, it will be announced once the settlement is given final approval by the court.

Additional benefits for those affected

Customers affected by the breach will also get three years of security monitoring services. These services will help detect identity theft and other security risks associated with the exposed data.

Filing a claim gives affected individuals a chance to obtain some compensation for unauthorized use of their personal information.

23andMe Data Breach Timeline

29 April – 27 September 2023: Unauthorized access to approximately 14,000 23andMe customer accounts occurred during this period. Attackers used a “credential stuffing” technique, using login credentials obtained from other breaches to gain access to 23andMe accounts.

October 2023: 23andMe publicly disclosed the data breach and revealed that sensitive personal information, including names, birth years and ancestry data, had been exposed.

December 2023: The company acknowledged that the breach affected approximately 6.9 million users, nearly half of its customer base at the time.

January 2024: Affected customers filed a class-action lawsuit against 23andMe in a San Francisco court, alleging a failure to protect their privacy.

13 September 2024: 23andMe agreed to a $30 million settlement to resolve the lawsuit, which includes cash payments to affected customers and three years of security monitoring services.

17 October 2024: The settlement is awaiting final court approval with details of filing processes and deadlines to be given upon approval. However, there have been no public updates confirming whether the court has given final approval as of 21 November 2024.