23andMe disclosed the data breach last October, but it didn’t confirm the overall impact until December. Customers using the DNA Relatives feature may have had information like names, birth years, and ancestry information exposed through the breach. At the time, 23andMe attributed the hack to credential stuffing, a tactic that involves logging in to accounts using recycled logins exposed in previous security breaches.
The breach dealt a big blow to the already struggling company. As 23andMe’s stock price continued to crater, 23andMe CEO Anne Wojcicki attempted to take the company private earlier this year, but the special committee rejected the offer last month. The settlement mentions concerns surrounding the company’s finances, saying, “Any litigated judgment significantly more than the Settlement is likely to be uncollectable.” In a statement to The Verge, 23andMe spokesperson Katie Watson said the company expects cyber insurance to cover $25 million of the settlement:
We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all U.S. claims regarding the 2023 credential stuffing security incident. Counsel for the plaintiffs have filed a motion for preliminary approval of this settlement agreement with the court. Roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage. We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement.
The proposed settlement still needs approval from the judge.