The 23andMe data breach, disclosed by the genetic testing company last Friday, involved unauthorized access to the personal data of approximately 0.1% of its customers, equating to around 14,000 individuals. In this incident, the company acknowledged that hackers not only accessed these accounts but also obtained “a significant number of files containing profile information about other users’ ancestry.” However, 23andMe did not specify the total number of “other users” affected by the breach.
All details: 23andMe data breach
Further investigations revealed a substantial impact: approximately 6.9 million individuals were victims of this 23andMe data breach. In a statement to TechCrunch on Saturday, 23andMe spokesperson Katie Watson confirmed the breach compromised the personal information of around 5.5 million users subscribed to the 23andMe DNA Relatives feature.
This feature, which facilitates automatic data sharing among customers, led to the unauthorized access of sensitive information including names, birth years, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported locations.
23andMe has additionally verified that a separate group of around 1.4 million individuals who opted-in to the DNA Relatives feature “had their Family Tree profile information accessed.” This compromised data includes display names, relationship labels, birth year, self-reported location, and whether the user chose to share their information, as per the spokesperson.
The reasons for 23andMe’s omission of these figures in their Friday disclosure remain unclear. With the revelation of these new numbers, it appears that the 23andMe data breach impacts nearly half of 23andMe’s reported total of 14 million customers.
Back in early October, a hacker claimed responsibility for stealing the DNA information of 23andMe users, making this claim on a notable hacking forum. As evidence of the breach, they released alleged data of one million Jewish Ashkenazi descent users and 100,000 Chinese users, pricing the data at $1 to $10 per individual account. Two weeks following this, the same hacker advertised purported records of an additional four million people on the same forum.
According to the report, TechCrunch discovered that another hacker on a different hacking forum had already offered a collection of supposedly stolen 23andMe customer data two months prior to the widely acknowledged advertisement. A detailed analysis by TechCrunch of this older leaked data revealed that some records matched genetic information previously published online by enthusiasts and genealogists. Despite being formatted differently, the two data sets shared unique user and genetic details, indicating that the leaked data was at least partially authentic 23andMe customer data.
In their October announcement regarding the breach, 23andMe attributed the incident to customers reusing passwords. This practice enabled hackers to use brute-force methods on victims’ accounts by employing publicly known passwords from other companies’ data breaches.
The 23andMe data breach’s impact was amplified due to the DNA Relatives feature, which connects users with their relatives. By gaining access to a single account, hackers could view personal data of not just the account owner but also their relatives. This method significantly increased the total number of affected individuals in the 23andMe data breach.
How much compensation would a US company pay in such cases?
The compensation or penalties for a data breach involving the personal information of 7 million people can vary significantly and are not solely determined by precedent decisions. Several factors influence the compensation or penalties, including:
- Nature of the breach: Was it due to negligence, lack of security measures, or a deliberate attack?
- Type of data compromised: Was sensitive personal information (like Social Security numbers, financial details, health records) exposed?
- Laws and regulations: Different states have different laws governing data breaches, and there are federal regulations like HIPAA (for healthcare data) and GDPR (for European citizens’ data) that might also apply.
- Demonstrated harm: If the breach led to identity theft, financial losses, or other harm to affected individuals, compensation might be higher.
There isn’t a fixed formula or precedent that directly sets compensation for a specific number of affected individuals. Courts or regulatory bodies typically assess these factors to determine penalties, fines, or compensation. Companies might also negotiate settlements outside of court.
For instance, in some high-profile cases, companies have paid settlements ranging from thousands to millions or even billions of dollars, depending on the severity and impact of the breach. Each case is unique and tends to be assessed individually based on the circumstances and laws applicable at the time.
Example incidents
Keep in mind that each case involves different circumstances, affected populations, and legal contexts, so the outcomes may vary for the 23andMe data breach victims.
Equifax data breach
In response to a data breach impacting about 147 million individuals, Equifax agreed to a settlement of roughly $700 million. This agreement encompassed financial restitution for those affected, imposed penalties, and provisions for ongoing credit monitoring services.
Horizon data breach
In the settlement concerning the Horizon data breach, members of the settlement class who file a claim are eligible for a range of compensations:
- Reimbursement for actual, documented, and unreimbursed out-of-pocket expenses incurred due to the Data Security Incident, with a maximum limit of $5,000.
- Compensation for the time invested in addressing issues stemming from the Data Security Incident, capped at 5 hours with a rate of $25.00 per hour, totaling a maximum of $125.
- A cash payout of up to $50 available to all settlement class members who stake a claim. Additionally, an extra payment of up to $50 is designated for those who resided in California at the time of the Data Security Incident.
Facebook privacy settlement
The exact compensation for each claimant in the Facebook privacy settlement varies based on several criteria, including the duration of their activity on the platform. While precise amounts are hard to predict, the median estimated payout stands at about $30, as per the class counsel’s projections.
T-Mobile data breach
Should it be approved, T-Mobile’s proposed $350 million settlement will rank as the second-largest payout in a US data breach case. This settlement, pertaining to a 2021 cyberattack that exposed personal details of over 100 million users, may potentially be allocated to both current and former T-Mobile customers.
So…
While the outcomes of data breach settlements can vary significantly depending on legal factors and specific case circumstances, it remains uncertain what the eventual resolution of the 23andMe data breach will entail. The compensation and remedies provided to affected parties often differ based on the nature of the breach, the extent of the data compromised, and the jurisdiction’s legal framework. Therefore, predicting the exact outcome for the 23andMe incident is challenging, as each case is subject to its unique set of variables and legal considerations.
Featured image credit: Kerem Gülen/Midjourney
