23andMe To Pay $30 Million In Genetics Data Breach Settlement (bleepingcomputer.com)
- Reference: 0174991787
- News link: https://yro.slashdot.org/story/24/09/13/2152229/23andme-to-pay-30-million-in-genetics-data-breach-settlement
- Source link: https://www.bleepingcomputer.com/news/security/23andme-to-pay-30-million-in-genetics-data-breach-settlement/
> The [3]proposed class action settlement (PDF), filed Thursday in a San Francisco federal court and awaiting judicial approval, includes cash payments for affected customers, which will be distributed within ten days of final approval. "23andMe believes the settlement is fair, adequate, and reasonable," the company said in a memorandum [4]filed (PDF) Friday.
>
> 23andMe has also agreed to strengthen its security protocols, including protections against credential-stuffing attacks, mandatory two-factor authentication for all users, and annual cybersecurity audits. The company must also create and maintain a data breach incident response plan and stop retaining personal data for inactive or deactivated accounts. An updated Information Security Program will also be provided to all employees during annual training sessions.
"23andMe denies the claims and allegations set forth in the Complaint, denies that it failed to properly protect the Personal Information of its consumers and users, and further denies the viability of Settlement Class Representatives' claims for statutory damages," the company said in the filed preliminary settlement.
"23andMe denies any wrongdoing whatsoever, and this Agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of 23andMe with respect to any claim of any fault or liability or wrongdoing or damage whatsoever."
[1] https://www.bleepingcomputer.com/news/security/23andme-to-pay-30-million-in-genetics-data-breach-settlement/
[2] https://it.slashdot.org/story/23/12/04/1911229/23andme-confirms-hackers-stole-ancestry-data-on-69-million-users
[3] https://storage.courtlistener.com/recap/gov.uscourts.cand.428003/gov.uscourts.cand.428003.103.2.pdf
[4] https://storage.courtlistener.com/recap/gov.uscourts.cand.428003/gov.uscourts.cand.428003.105.0.pdf
so $2/user? (Score:2)
$30 million for 6.4million users.
No mention of what the attorney's fees are in the document that I saw, but somehow that always seems to be about 1/2 of the settlement on these sorts of things... so $15m for 6.4m people, or $2.34 per person.
Then there's mailing all of the folks to let them know about it, then again to mail the checks out... it might not even make it to $2 per person for this
useless penalty (Score:2)
they charge $99/year... are paying out roughly $4.68 per impacted user...
I'm sorry- but "23andMe believes the settlement is fair, adequate, and reasonable" screams they think they got a sweetheart deal out of this. Think the law firm representing the affected users needs to be reviewed. Although... looking at their financials (23 and me), maybe the lawyers thought the business might be bankrupt if it went any longer.
Mandatory two-factor authentication (Score:2)
Thereby needlessly punishing all the customers who use strong passwords.
I hate every form of two-factor authentication, but especially the most common kind used by stupid websites: sending you a one-time password.
I would seriously consider dumping any service that starting requiring this.
They share your DNA with the cops (Score:3)
And even if you've never done anything wrong if one of your distant relatives has there's a chance you could get a knock on the door from the cops. That could turn into major legal problems costing you tens of thousands of dollars to fight off or worse they could force you into a fake confession. It sounds like something out of bad TV but John Oliver has a good video on it and on police interrogation in general.
What I'm saying is don't use these services. If you want to have your genome sequenced go see a doctor.
Unless you're a white supremacist of course. In which case it's fucking hilarious when they find out they're like 20% or 30% black. And don't anyone tell them where the human race originated...
Zero trust (Score:3)
I have zero trust that a company like 23andme will hold my information securely.
The only way I would give up my DNA information to a company is if they didn't hold it at all.
But if a company like 23andme told me they weren't holding it, I wouldn't trust that either. They'd have to go to pretty extreme lengths to get that kind of trust. Some boilerplate "Your privacy is very important to us" screen doesn't cut it, and if anything decreases my trust.
Re: (Score:2)
The only way I would give up my DNA information to a company is if they didn't hold it at all.
Even then, there's no way in hell I'd trust that they were telling the truth about them not keeping it. They have nothing to lose by lying and everything to gain.
Re: (Score:2)
You shouldn't trust *any* company to hold *any* of your data securely. It's all at risk. All of it, everywhere.
Re: (Score:2)
The company I worked for had its accounting system breached. My doctor had his medical systems breached. I'm pretty sure my bank had a breach.
Fuck it. You buckle up and take the ride, hope it doesn't affect you and try not to think about what you can't control.
But if I'm ever on a jury for someone who committed cybercrime, I'm voting for capital punishment even though we don't have that here.
I'm so hairy (Score:2)
I use 24andMe
Oblig (Score:2)
"All clients of 23andMe are strongly advised to change their genome to prevent any future attacks using this data."
Admit no wrongdoing? (Score:3)
I don't understand statements like these from companies forced to pay a settlement. Of course you're guilty, and you know it, or you would not have settled in the first place. Corporations are out of touch with reality. They just look stupid stating things like this.
Re: (Score:2)
> Of course you're guilty, and you know it, or you would not have settled in the first place.
This is a civil suit. "Guilt" isn't even relevant, and demonstrating guilt is not necessary for the defendants to prevail.
The two sides sat down and hashed out a business deal close to what they believed a trial outcome would've been but avoided the uncertainty and legal costs. That's it.
It's about money, not "guilt".
Re: (Score:2)
It is possible to cause harm without first doing something "wrong." I'm not saying that is the case here, just that settling a lawsuit doesn't always imply that the company feels they did something wrong, only that they know that they caused harm, and they'd rather settle than risk even bigger penalties if they lose the lawsuit in court. From their perspective, better to pay a known "small" amount now, than an unknown *larger* amount later.