23andMe has agreed to a $30 million settlement over a data breach affecting 6.4 million users last year. The breach occurred after hackers accessed 14,000 accounts and exploited the company’s “DNA relatives” feature to collect information from millions more. Some victims of the breach filed lawsuits, accusing the DNA testing company of failing to safeguard their personal data.
Under the settlement, affected users can file “extraordinary claims” for up to $10,000 if they suffered financial fraud or unreimbursed costs, with a total cap of $5 million on such claims. Additionally, a $100 payment will be made to users in specific states or those whose health data was exposed.
As part of the agreement, 23andMe will also provide three years of identity monitoring services to all affected users and bolster its security with enhanced measures like multi-factor authentication and more regular cybersecurity audits.
The settlement still needs final court approval, and some users may opt out to pursue separate legal actions. 23andMe expects to cover $25 million of the settlement through its cyber insurance policy.