Written by 10:07 am Security News

23andMe Agrees to $30m Data Breach Settlement

23andMe Agrees to $30m Data Breach Settlement

Biotech firm 23andMe has agreed to pay tens of millions of dollars to the victims of a significant data breach in 2023.

The data breach accessed the information of over six million individuals, including a significant number of files containing information about users’ ancestry.

The firm has also agreed to bolster its security after the incident, including mandatory multi-factor authentication (MFA), protection against credential stuffing and annual audits.

Read More: Highline Public Schools Forced to Close By Cyber-Attack

However, the settlement is in no way an admission of any guilt.

“23andMe denies any wrongdoing whatsoever, and this agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of 23andMe for any claim of any fault or liability or wrongdoing or damage whatsoever,” the company stated in the settlement agreement.

It was revealed that hackers originally gained access to a few user accounts via previously compromised credentials because MFA did not protect them. Subsequently, they could scrape data from additional registered users with the DNA Relatives feature.

The firm’s lawyers have consistently argued vehemently that the fault was with negligent users, even though most breached customers were caught up in the incident through no fault of their own – because they’d opted into DNA Relatives.

They also argued that the compromised data couldn’t be used to cause “pecuniary harm” as it didn’t include users’ social security numbers, driver’s license numbers, or payment details.

Ultimately, the attack compromised data on an estimated 6.9 million customers, including 6.4 million US residents.

In October 2023, threat actors claimed to be selling genetic profile data for millions of British and Ashkenazi Jewish people.

Source: https://www.infosecurity-magazine.com/news/23andme-30m-data-breach-settlement/

Latest News

  • Sellafield Fined for Cybersecurity Failures at Nuclear Site
    Sellafield Ltd. has been fined £332,500 ($437,440) for cybersecurity failures at the Sellafield nuclear facility in Cumbria, North-West England. Westminster Magistrates Court issued the fine following a prosecution brought by the Office for Nuclear Regulation (ONR), the UK’s independent nuclear regulator. Sellafield Ltd has also been ordered to pay prosecution costs of £53,253.20 ($70,060). The offences …
  • Process Analysis in Cybersecurity: Its Importance and Steps
    What is Process Analysis in Cybersecurity? Process Analysis in cybersecurity refers to systematically examining security processes and procedures to understand their effectiveness and identify vulnerabilities. This analysis breaks down each step of a security task, making it easier to pinpoint weaknesses and improve defences against cyber threats. Using process analysis, organizations can better secure their …
  • Ransomware Attack Forces UMC to Divert Emergency Patients
    The University Medical Center (UMC) Health System in Lubbock, Texas, has confirmed a ransomware attack that disrupted its IT infrastructure last week, forcing the diversion of emergency and non-emergency patients.  UMC, the only level 1 trauma centre within 400 miles, faced significant operational challenges, with phone systems down and the patient portal inaccessible. Despite this, …