Genetic testing company 23andMe (NYSE: ME) has agreed to pay $30 million to settle a major class action lawsuit over a data breach that targeted a whopping 6.9 million customers. While the settlement does remove the uncertainty related to the case, does it mean that a struggling 23andMe is now out of the woods yet? Here, we’ll discuss the lawsuit and what it means for 23andMe users and analyze the key troubles that the once-hyped company faces.
Last year, 23andMe suffered a massive data breach that affected millions of its customers with hackers particularly targeting Ashkenazi Jewish and Chinese communities.
Those behind the breach had unrestricted access to its systems for five long months and it only came to light when someone posted on Reddit that data of 23andMe users was being sold on the dark web. The massive data breach led to several lawsuits against the company which now seem to have reached a closure with the $30 million fine.
23andMe will pay $30 million and provide three years of security monitoring to settle a lawsuit accusing the genetics testing company of failing to protect the privacy of 6.9 million customers whose personal info was exposed in a data breach last year https://t.co/CyM1Nhsn3V pic.twitter.com/2ZHRWfVj4X
— Reuters Legal (@ReutersLegal) September 13, 2024
23andMe Settles Class Action Lawsuit
While announcing the verdict, Judge Edward M. Chen took into account 23andMe’s precarious financial condition and the “limited funds available” at its disposal.
In its statement, 23andMe said that the settlement was “fair, reasonable and adequate.” Separately, it told Reuters that it expects $25 million of the cost to be covered by its cyber insurance coverage.
To be sure, 23andMe indeed has precarious financials and in Q1 2025 which ended in June, it lost $69 million while its revenues were a mere $40.4 million. However, the company ended the quarter with a respectable cash pile of nearly $170 million.
23andMe to Strengthen Its Cybersecurity Policies
Meanwhile, along with the fine, the judgment calls upon 23andMe to implement changes to its business practices. These include
- Enhancing password protection
- Mandating multi-factor authorization
- Providing annual security awareness for employees
- Conducting annual cybersecurity audits and computer scans
- Maintaining a written information security program
- Maintaining a threat management and data breach incidence response plan
- Implementing a policy about retention of personal information of inactive customers
The judgment adds, “The Class Notice will direct Settlement Class Members to a link where a Settlement Class Member can delete all their information from 23andMe, and whereby 23andMe shall permanently delete such information in accordance with all applicable laws.” The costs for these remedial measures would be over and above the $30 million settlement.
The above video explains how the breach occurred and how to keep oneself safe from such breaches.
23andMe Previously Defended Itself
Incidentally, in the past, 23andMe tried to evade responsibility for the massive data breach and even tried pinning the blame on victims by saying the users whose data was breached had used the same credentials on websites that were previously compromised.
“We do not have any indication that there was a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks,” the company said in a December 2023 release.
After the data breach came to light, 23andMe took measures like asking all users to reset passwords and introducing two-factor authorization. “We’re 17 years old, data privacy and security has always been a really high priority and remains a high priority for the company and something that we are going to invest even more into,” said CEO Anne Wojcicki about the company’s security policy.
ME Stock Has Crashed
23andMe went public in June 2021 on the NASDAQ, riding the special purpose acquisition company (SPAC) wave – raising $592 million in gross proceeds from the merger transaction. Meanwhile, the month after the merger, the stock price fell below the SPAC IPO price of $10. The price did go above that price level in October of that same year, but the price hasn’t crossed $10 again since November 2021 after peaking at $17.65 in February 2021.
The company’s shareholders have approved the reverse stock split which would help it become compliant with the Nasdaq listing requirements. Notably, Wojcicki was looking to take 23andMe private but the board turned down her offer.
The board said that it was turning down the proposal as it “lacks committed financing, and it is conditional in nature. Accordingly, we view your proposal as insufficient and not in the best interest of the non-affiliated shareholders.” Importantly, her offer did not offer any premium over 23andMe’s stock price which is quite the norm in such take-private transactions.
That said, earlier this month, ME stock hit its all-time low of 29 cents, which is even below the 40 cents that Wojcicki offered for the troubled company.
ME Has Been Posting Perennial Losses
While 23andMe shares have rebounded from the lows after the settlement of the class action lawsuit, they still trade at depressed price levels with the company’s market cap stranded at a mere $170 million. Importantly, its enterprise value, which accounts for the debt and cash on its balance sheet, is a mere $76 million. Its price reflects the market’s pessimism towards the company which was once a promising unicorn.
23andMe continues to battle perennial losses and a slowdown in sales. In the fiscal year ending in March 2024, it generated revenues of just about $220 million, significantly below the $305 million that it posted in the fiscal year 2021. While markets were quite forgiving of loss-making companies between 2020 and 2021 – thanks to the abundance of easy money – investors have been quite wary of loss-making stories ever since the Fed embarked on its rate hiking cycle.