23andMe to Pay $18 Million in Genetics Data Breach Settlement

▼ Summary
– 23andMe agreed to pay $18 million to settle claims from 43 attorneys general that it failed to protect customers’ genetic data.
– A data breach from April to September 2023, unnoticed for five months, stole data from 6.9 million customers, including genetic ancestry information later sold on the dark web.
– An investigation found the company lacked basic security safeguards like multifactor authentication and breach-detection monitoring, and initially denied the breach.
– The settlement requires new security measures, including a data security advisory board and continued consumer rights to delete data.
– The breach led to class-action lawsuits, a $30 million settlement, a UK fine, and 23andMe’s March 2025 Chapter 11 bankruptcy filing, followed by a $305 million asset acquisition.
Genetic testing company 23andMe, now operating under the name Chrome Holding Co., has reached a settlement requiring it to pay $18 million to resolve a multistate investigation led by 43 attorneys general. The coalition alleged that the firm failed to adequately safeguard its customers’ highly sensitive genetic data, leaving it exposed to cybercriminals.
The company first disclosed a major security incident in October 2023, revealing that credential-stuffing attacks had gone undetected for nearly five months, spanning from April to September of that year. During that window, attackers stole information belonging to 6.9 million customers, including detailed genetic ancestry records. A portion of that stolen data was later listed for sale on the dark web, with hackers releasing millions of genetic profiles as proof of the breach’s authenticity.
New York Attorney General Letitia James announced on Tuesday that the subsequent multistate investigation uncovered a lack of fundamental cybersecurity measures at 23andMe. The company reportedly did not implement password blocklisting, multifactor authentication, adequate rate limiting, or proper intrusion prevention and breach-detection monitoring systems.
Investigators further found that 23andMe failed to respond to unusual login activity and neglected to patch known security vulnerabilities. According to James, the company initially denied that a breach had occurred and later attempted to shift blame onto customers, citing their account and password practices.
Under the terms of the settlement, Chrome Holding Co. must now implement new security protocols. These include establishing a data security advisory board, conducting regular risk analysis protocols, and preserving customers’ rights to request deletion of their genetic data.
“Companies have a duty to protect their customers’ personal information from hackers, but 23andMe put millions of its customers at risk with its flimsy security measures,” James stated. “New Yorkers trusted 23andMe with their sensitive and personal genetic data, only to find that data stolen and put up for sale on the dark corners of the internet. As a result of our coalition’s action, 23andMe will pay for violating the law and strict rules will be put in place to protect their customers.”
The 2023 incident has triggered a cascade of legal consequences beyond this settlement. Multiple class-action lawsuits were filed, prompting 23andMe to revise its Terms of Use in November 2023 in an effort to make litigation more difficult. The company claimed at the time that the changes were solely intended to simplify the arbitration process.
In September 2024, 23andMe agreed to pay $30 million to settle one proposed class action directly related to the breach. The company then filed for Chapter 11 bankruptcy in March 2025, citing years of financial struggles, and announced plans to sell its assets. This move prompted James and the coalition to file related claims.
By June 2025, James and 27 other attorneys general had filed a lawsuit aimed at protecting customers’ genetic data during the bankruptcy proceedings. That same month, the UK Information Commissioner’s Office (ICO) imposed a fine of £2.31 million (approximately $3.12 million) on 23andMe, citing “serious security failings” that led to the “profoundly damaging” data breach.
In July 2025, the TTAM Research Institute nonprofit, since reregistered as the 23andMe Research Institute and led by co-founder Anne Wojcicki, completed its acquisition of the DNA testing firm. The deal, valued at $305 million, secured all of 23andMe’s assets.
(Source: BleepingComputer)




