23andMe disclosed the data breach last October, but did not confirm the full impact until December. For customers using its DNA Relatives feature, the hack may have exposed information such as names, birth years and ancestry information. At the time, 23andMe attributed the hack to credential stuffing, a tactic in which users log into accounts with reused credentials from previous breaches.
The breach was a major blow to the already struggling company. As 23andMe's stock price continued to plummet, 23andMe CEO Anne Wojcicki attempted to delist the company earlier this year, but the special committee rejected the offer last month. The settlement mentions concerns about the company's finances and states, “Any judgment significantly in excess of the settlement amount is likely to be uncollectible.” In a statement to The edgeKatie Watson, a spokeswoman for 23andMe, said the company expects cyber insurance to cover $25 million of the settlement:
We have entered into a settlement agreement for an aggregate payment of $30 million to settle all U.S. claims related to the Credential Stuffing Security Incident in 2023. Plaintiffs' attorneys have filed a motion with the Court seeking preliminary approval of this settlement agreement. Approximately $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance. We continue to believe that this settlement is in the best interests of 23andMe's customers and look forward to finalizing the agreement.
The proposed settlement still requires the judge’s approval.