web analytics

23andMe to Pay $30M for Credential Stuffing Hack Settlement – Source: www.databreachtoday.com

23andme-to-pay-$30m-for-credential-stuffing-hack-settlement-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Cybercrime
,
Fraud Management & Cybercrime
,
Healthcare

Millions of Customers Will Also Be Offered Monitoring of Genetic Data on Dark Web

Marianne Kolbasuk McGee (HealthInfoSec) •
September 24, 2024    

23andMe to Pay $30M for Credential Stuffing Hack Settlement
Users of 23andMe’s DNA Relatives feature were among millions affected by a 2023 credential stuffing attack. (Image: 23andMe)

Under a proposed $30 million settlement of about 40 consolidated class action lawsuits, genetics testing firm 23andMe will make cash payments to millions of individuals whose sensitive information was compromised in a 2023 credential stuffing incident.

See Also: How Healthcare Can Stay Ahead of Ransomware Attacks

Affected customers also will be offered three years of free monitoring services that not only include identity and credit monitoring but also scans of the dark web for exposure of their genetic data.

The proposed settlement was filed in a northern California federal court on Sept. 12 and is slated for a preliminary hearing on Oct. 17.

23andMe in a statement to Information Security Media Groups said the company expects that roughly $25 million of the settlement and related legal expenses will be covered by its cyber insurance policy.

“We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement.”

The company declined ISMG’s request for further details, including the amount of cash that will be potentially offered to class members. “We cannot comment on this, especially as the settlement has not been formally approved,” the statement says.

23andMe said that in early October 2023, the company learned that a threat actor accessed “a select number” of individual 23andMe.com accounts through credential stuffing. The hacker was able to access about 14,000 user accounts, less than 1% of the company’s existing 14 million 23andMe customers, 23andMe said (see: 23andMe Investigating Apparent Credential Stuffing Hack).

“The threat actor used the compromised credential stuffed accounts to access the information included in a significant number of DNA Relatives profiles – approximately 5.5 million – and Family Tree feature profiles – approximately 1.4 million, each of which were connected to the compromised accounts.

Threat actors last year claimed on the dark web to have stolen “20 million pieces of code” from 23andMe. According to media reports, the leaked data that was put up for sale pertained to 23andMe users with certain DNA ancestry backgrounds, including 1 million lines of code about people with Ashkenazi Jewish DNA ancestry (see: 23andMe Says Hackers Stole Ancestry Data of 6.9M Users).

Under the proposed settlement, class settlement members will be offered three years of complimentary “Privacy & Medical Shield + Genetic Monitoring” from CyEx, an independent operating company that is part of Pango Holdings.

In a court document filed with the proposed settlement, a CyEx executive said the Privacy & Medical Shield + Genetic Monitoring service “was designed and built by CyEx specifically for the 23andMe class members and includes multiple features that have never been provided to data breach or security incident victims.”

The list of monitoring services includes dark web monitoring for 17 “unique data categories of Settlement Class Members’ sensitive data that may be exposed, listed for sale or trade on the dark web.”

That includes “specially designed monitoring capacity to scan the dark web for any genetic-related data specific to settlement class members that may be for sale or trade.

“If genetic-related data is located, CyEx will alert the settlement class member who may contact customer support to speak with a remediation specialist about identifying potential mitigation efforts,” the court document says.

The dozens of putative proposed class action lawsuits filed against 23andMe alleged among other claims that the company failed to properly protect personal information in accordance with its responsibilities, had inadequate data security protocols and violated various state genetic information privacy statutes and other state consumer statutes.

As part of the settlement agreement, 23andMe is required to implement a long list of security improvements that will not be paid from the settlement fund.

The list includes implementing enhanced password protection, mandating multifactor authentication, conducting annual cybersecurity scans and audits, creating a comprehensive data security program, and enforcing a data retention policy to avoid maintaining information of inactive or deactivated customers beyond an appropriate period of time.

Original Post url: https://www.databreachtoday.com/23andme-to-pay-30m-for-credential-stuffing-hack-settlement-a-26357

Category & Tags: –

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Joas Antonio
ChatGPT for Cybersecurity by Joas Antonio dos Santos – malwareanalysis #reverseengineering
ChatGPT for Cybersecurity by Joas...
CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

Microsoft
GDPR & Generative AI
GDPR & Generative AI
European Union Agency for Fundamental Rights
GDPR IN PRACTICE
GDPR IN PRACTICE
FS.ISAC
Navigating Cyber
Navigating Cyber
KPMG
Fraud risk management
Fraud risk management
CYFIRMA
Fletchen Stealer
Fletchen Stealer
IGNITE Technologies
FILE TRANSFER CHEAT SHEET
FILE TRANSFER CHEAT SHEET
Securesee
CYBER CRISIS INVESTIGATION AND MANAGEMENT
CYBER CRISIS INVESTIGATION AND MANAGEMENT
ACN
Guidelines for secure AI system development
Guidelines for secure AI system...
Incibe
Ciberseguridad en Smart Toys
Ciberseguridad en Smart Toys
Flashpoint
Global Threat Intelligence Report
Global Threat Intelligence Report
HSBC
A new payments paradigm
A new payments paradigm
WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program

More Latest Published Posts

ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos
INNOVERY
RESILIENCIA
RESILIENCIA
CEH
Certifications Preparation Guide
Certifications Preparation Guide
Sandhya Kaushik
Checklist for Securing Your Android Apps
Checklist for Securing Your Android Apps
aDvens
May Cyber Threat Intelligence monthly report
May Cyber Threat Intelligence monthly report
Insikt Group
Caught in the Net
Caught in the Net
IGNITE Technologies
BURP SUITE FOR PENTESTER TURBO INTRUDER
BURP SUITE FOR PENTESTER TURBO INTRUDER
SYED ABUTHAHIR
BUG BOUNTY AUTOMATION WITH PYTHON
BUG BOUNTY AUTOMATION WITH PYTHON
Foresiet
Brand Impersonation Attacks
Brand Impersonation Attacks
Google Cloud
Board of Directors Handbook for Cloud Risk Governance
Board of Directors Handbook for Cloud Risk Governance
ISACA
Blueprint for Ransomware Defense
Blueprint for Ransomware Defense
Shaurya Rawal
Blockchain Security
Blockchain Security
RISK academy
BEST RISK MANAGEMENT PROMPTS FOR CHATGPT
BEST RISK MANAGEMENT PROMPTS FOR CHATGPT
IGNITE Technologies
Best Alternative of Netcat
Best Alternative of Netcat