In October, 23andMe disclosed a data breach but did not confirm its full impact until December. The breach potentially exposed the information of customers using the DNA Relatives feature, including names, birth years, and ancestry details. The company attributed the breach to credential stuffing, a method that involves using recycled logins from previous security breaches to access accounts.
This breach had a significant impact on the already struggling company. As 23andMe’s stock price continued to decline, CEO Anne Wojcicki attempted to take the company private earlier in the year. However, last month, the special committee rejected her proposal. The settlement addressed concerns regarding the company’s financial health, stating that any litigated judgment significantly higher than the settlement amount would likely be uncollectable.
In a statement to The Verge, 23andMe spokesperson Katie Watson noted that the company expects cyber insurance to cover $25 million of the $30 million settlement related to the 2023 credential stuffing incident. Watson emphasized that the company believes the settlement is in the best interest of its customers and looks forward to finalizing the agreement.
The proposed settlement is still pending judicial approval.