ME 23andMe Holding Company

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

FORM 8-K/A

(Amendment No. 1)

CURRENT REPORT

Pursuant to Section 13 or 15(d)

of the Securities Exchange Act of 1934

Date of Report (Date of earliest event reported): October 10, 2023

23andMe Holding Co.

(Exact name of registrant as specified in its charter)

349 Oyster Point Boulevard

South San Francisco, California 94080

(Address of principal executive offices, including zip code)

Registrant’s telephone number, including area code: (650) 938-6300

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:

Securities registered pursuant to Section 12(b) of the Act:

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).

Emerging growth company ☐

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

On October 10, 2023, 23andMe Holding Co. (the “Company,” “23andMe,” “we,” “us,” and “our”) filed a Current Report on Form 8-K (the “Original Form 8-K”) reporting that it learned that certain user profile information, which a 23andMe user (each, a “user” and collectively, the “users”) creates and chooses to share with their genetic relatives in 23andMe’s DNA Relatives feature, was accessed and downloaded from individual 23andMe.com (the “23andMe website”) user accounts (the “incident”) by a threat actor (the “threat actor”). The Company is filing this Amendment No. 1 to the Original Form 8-K (this “Amendment”) to provide supplemental information regarding the incident. Except as expressly set forth herein, this Amendment does not amend the Original Form 8-K in any way and does not modify or update any other disclosures contained in the Original Form 8-K. This Amendment supplements the Original Form 8-K and should be read in conjunction with the Original Form 8-K.

On October 1, 2023, a threat actor posted online a claim to have 23andMe users’ profile information. Upon learning of the incident, 23andMe immediately commenced an investigation and engaged third-party incident response experts to assist in determining the extent of any unauthorized activity. Based on its investigation, 23andMe has determined that the threat actor was able to access a very small percentage (0.1%) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available (the “Credential Stuffed Accounts”). The information accessed by the threat actor in the Credential Stuffed Accounts varied by user account, and generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics. Using this access to the Credential Stuffed Accounts, the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online. We are working to remove this information from the public domain. As of the filing date of this Amendment, the Company believes that the threat actor activity is contained.

23andMe is in the process of providing notification to users impacted by the incident as required by applicable law. While no company can ever completely eliminate the risk of a cyber attack, the Company has taken certain steps to further protect its users’ data. For example, on October 10, 2023, 23andMe required all users to reset their passwords, and on November 6, 2023, 23andMe required all new and existing users to login into the 23andMe website using two-step verification going forward.

As of the filing date of this Amendment, the Company expects to incur between $1 million and $2 million in onetime expenses related to the incident during its fiscal third quarter ending December 31, 2023, primarily consisting of technology consulting services, legal fees, and expenses of other third-party advisors. The Company believes that such expenses and the direct or indirect business impacts of the incident could negatively affect its financial results. As of the filing date of this Amendment, the Company is not able to predict whether such direct or indirect impacts of the incident could have a material effect on its financial condition and/or results of operations for the fiscal year ending March 31, 2024.

As of the filing date of this Amendment and as a result of the incident, multiple class action claims have been filed against the Company in federal and state court in California and state court in Illinois, as well as in British Columbia and Ontario, Canada, which the Company is defending. These cases are at an early stage, and the Company cannot predict the outcome. The Company is also assessing its response to notices filed by consumers under the California Consumer Privacy Act and to inquiries from various governmental officials and agencies. The full scope of the costs and related impacts of this incident and related litigation, including, without limitation, the availability of insurance to offset some of these costs, cannot be estimated at this time.

While the Company believes the investigation into these matters is complete, the Company may become aware of new or different information or information that differs from that contained in this Current Report on Form 8-K. All information provided in this Amendment is as of the date hereof and 23andMe’s undertakes no duty to update this information except as required by applicable law.

Forward-Looking Statements

This Amendment contains “forward-looking” statements, which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding 23andMe’s understanding of the cause of the incident, the scope of the incident, the persons or organizations that may be responsible for the incident, the status and results of the investigations to data, and the potential impact of the incident on 23andMe’s business operations and financial results and condition. These forward-looking statements are based on management’s beliefs and assumptions and on information currently available to management, which may change as investigations proceed and new or different information is discovered. Forward-looking statements include all statements that are not historical facts and may be identified by terms such as “aim,” “anticipate,” “believe,” “can,” “could,” “seek,” “should,” “feel,” “expect,” “will,” “would,” “plan,” “intend,” “estimate,” “continue,” “may,” or similar expressions and the negatives of those terms. Forward-looking statements involve known and unknown risks, uncertainties and other factors that may cause actual results, performance, or achievements to be materially different from any future results, performance or achievements expressed or implied by the forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to the discovery of new or different information relating to the incident and its mitigation, numerous financial, legal, reputational, and other risks to 23andMe related to the incident, including risks that the incident may result in the loss, compromise, or corruption of data, loss of business, reputational damage adversely affecting user relationships and investor confidence, U.S. regulatory investigations and enforcement actions, litigation, indemnity obligations, damages for contractual breach, penalties for violation of applicable laws or regulations, significant costs for remediation and the incurrence of other liabilities, and the possibility that 23andMe’s insurance coverage will cover only certain security and privacy damages and claim expenses may not be available or sufficient to compensate for any and all liabilities that 23andMe may incur related to the incident.

This Amendment includes several website addresses. These website addresses are intended to provide inactive, textual references only. The information on these websites is not part of this Amendment.

The information in this report furnished pursuant to Item 7.01 shall not be deemed to be “filed” for the purposes of Section 18 of the Securities Exchange Act of 1934, as amended, nor shall it be incorporated by reference in any filing made by the Company pursuant to the Securities Act of 1933, as amended, other than to the extent that such filing incorporates by reference any or all of such information by express reference thereto.

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, as amended, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

Dated: December 1, 2023