Reuters reported on Friday that the genetic testing company 23 and I has agreed to pay a $30 million settlement after a hack exposed the personal information of 6.9 million customers on the dark web. The company will also pay for three years of security monitoring for affected customers.
The class action lawsuit alleged that 23andMe failed to notify customers of Ashkenazi Jewish and Chinese descent that their personal data had been posted for sale and that they may have been specifically targeted in the April 2023 breach.
Related: 23andMe Hackers Selling Stolen User Data, Including 'Celebrity' DNA Profiles, on Dark Web
23andMe said the settlement was “fair, adequate and reasonable” in a court filing, for Reuters.
In one December 2023 blog post Addressing the hack, the company said the attack began in April 2023 and lasted about five months. At the time, 23andMe had about 14.1 million customers in its system. The company said the hack affected at least half of its database.
Who has the right to ask for money?
According to in court documents, affected users can seek anywhere from $100 to $10,000 for the most “extraordinary” cases. If the deal receives final approval, instructions will be provided on how to file for reimbursement.
Consumers in Alaska, California, Illinois and Oregon are subject to “genetic privacy laws with statutory damages provisions” and can only seek $100, for PCMag.