23andMe data breach and settlement: what you need to know

23andMe is in the spotlight, with some experts calling this the beginning of the end for the popular genetic testing company. It’s been a rough year for the saliva-based DNA testing brand, including a high-profile data breach and resignation from the company’s board of directors last month.

Users are wondering what’s next – and whether their personal data (including their literal DNA) is safe.

Here’s what we know so far.

In October 2023, 23andMe launched an investigation after a “threat actor” alleged millions of users’ personal data.

In December, the company confirmed through a filing with the Securities and Exchange Commission that a hacker had gained direct access to 0.1% of user accounts, or about 14,000 profiles. Still, thanks to the networks that individual users can build and connect their information to other possible family members, the hacker was able to view the information of millions of users.

A company spokesperson told news media at the time that a total of 6.9 million people were affected: about 5.5 million customers who signed up for 23andMe’s “DNA Relatives” feature and another 1.4 million users whose family tree information was used.

The accessible information included:

The company added that an additional 1.4 million customers who used the ‘DNA Relatives’ feature were able to access their ‘Family Tree’ profiles, which contain a limited subset of profile data.

23andMe said at the time that the hacker activity was under control and required existing users to reset their passwords and enable multi-factor authentication to log in.

The issue resulted in a class action lawsuit filed in January and settled earlier this month.

As part of the settlement, 23andMe admitted no wrongdoing and agreed to pay $30 million to affected parties, including up to $10,000 for parties who suffered significant losses such as identity theft as a result of the breach.

The settlement will impact the millions of users whose data was targeted in the breach. To qualify for the settlement, affected 23andMe users must have been U.S. residents as of August 11, 2023.

At the time of publication, it is no longer possible to file a claim to be part of the settlement. Affected users should visit the official 23andMe settlement website and enter their information as it becomes available, Forbes said. The site offers an online claim form and a downloadable PDF version if you prefer to file by mail.

23andMe’s entire board of independent directors resigned last month, a rare move in the business world that experts say portends a volatile situation.

The seven directors said in a letter to Anne Wojcicki, co-founder and CEO of 23andMe, that they had not received a plan about the company’s future that inspired confidence.

Wojcicki previously expressed a desire to take 23andMe private, raising concerns among board members.

“While we continue to wholeheartedly support the company’s mission and believe deeply in the value of the personalized health and wellness offering you have articulated, it is also clear that we differ on the strategic direction for the company going forward” , the letter said. “Because of that difference and because of your concentrated voting power, we believe it is in the best interests of the Company’s shareholders that we resign from the Board of Directors, rather than engage in a protracted and distracting disagreement with you over the direction of the Company.”

Wojcicki responded to the firing via an employee memo expressing her “surprise” and disappointment at the director’s decision. She added that she still believed that taking 23andMe private was the best option for the company’s long-term future, but clarified that she is not considering any takeover proposals from third parties.

As of September, Wojcicki said she would immediately seek new directors for the board. At the time of publication, she remains the only board member listed on the company’s website.

Experts say 23andMe users’ data is no more at risk today than ever before, but add that customers should review the company’s privacy policy and consider what data is available and where they want to share it.

As part of the DNA-centric business, customers have the option to consent to 23andMe sharing their anonymized genetic information with third-party companies for a variety of reasons, including medical research. Experts told CBS that this type of data sharing can introduce vulnerabilities, but that they are not unique to 23andMe.

About 80% of 23andMe customers agree to participate in the company’s research program, which has produced nearly 300 peer-reviewed publications on genetic insights into diseases, the company said.

Still, users became more concerned when Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, raised the flag over the company in a social media post.

“If you have a 23andme account, today is a good day to log in and request the deletion of your data,” she wrote on X.

To delete an account, users can log in and go to the Account Settings tab. Users go through the prompts and identity verification before receiving an email from the company asking for confirmation to delete the account. Deleting an account is irreversible.

However, deleting an account does not necessarily delete all of the user’s personal data. The company plans to keep some of users’ genetic information, along with some personal data, including gender, birthday, email address and details about the account deletion request, the MIT Technology Review reported.

For users who have opted in to share anonymized genetic data with third parties, there is no way to delete the information or revoke what has already been shared.

All online DNA testing services come with some privacy concerns, but legal guidelines to regulate personal data serve as protection. For some users looking for answers to health mysteries or searching for missing links to their family trees, the tradeoff is worth it.

Due to 23andMe’s uncertain future, review sites like the New York Times’ Wirecutter have stopped recommending the service in their DNA testing rounds.

The review site recommends AncestryDNA and FamilyTreeDNA as alternatives.