Recent Class-Action Settlement and FCC Fine Underscore the High Costs of Failed Data Security

Two notable data breaches, each impacting millions of US consumers, resulted in companies paying over $40 million in fines or settlements in mid-September, including 23andMe settling a class-action suit for $30 million and AT&T agreeing to pay the Federal Communications Commission (FCC) a $13 million fine. The AT&T fine was related to a data breach impacting an AT&T cloud vendor in 2023, while the 23andMe incident was related to a credential stuffing attack that led to data compromise of nearly 7 million user accounts.

The 23andMe settlement pertains to an incident that was first announced in October 2023, after the intrusion had been going on for 6 months. In a statement to USA Today, a 23andMe representative said the company reached a settlement of $30 million related to a class-action suit “to settle all US claims regarding the 2023 credential stuffing security incident.” The company expects that $25 million of the settlement and associated legal fees will be covered by their cyber insurance policy.

Credential stuffing attacks utilize username and password pairs compromised in data breaches, attempting to access accounts created by the breach victim using the same credential pair, typically via bots or automated means. The parties behind the credential stuffing attacks were able to successfully gain access to 14,000 23andMe customer accounts, then access the ancestry data of 6.9 million profiles connected via DNA Relative profiles and Family Tree service features.

Compromised data include user account information, dates of birth, family names, location, DNA matches and more. 23andMe has also agreed to strengthen security protocols including enhanced protections against credential stuffing attacks.

AT&T reached an agreement to pay the FCC a $13 million fine following “investigation into the company’s supply chain integrity and whether it failed to protect the information of AT&T customers in connection with a data breach of a vendor’s cloud environment,” as stated in an FCC press release. The FCC found in their investigations that AT&T failed to ensure this vendor adequately protected customer information or return/destroy customer information as required by contract.

In addition to the fine, AT&T will “make significant investments in and prioritize the safeguarding of customer’s information shared with third parties.” Note that this fine is related to a 2023 incident, and that a more recent AT&T data breach made public in July of may result in significantly large fines or settlements.