23andMe to pay $18 million in new genetics data breach settlement

4 hours ago 4

23andMe

Genetic testing company 23andMe (now Chrome Holding Co.) has agreed to pay $18 million to settle claims from a coalition of 43 attorneys general that it failed to protect customers' genetic data.

23andMe disclosed a massive data breach in October 2023, following credential-stuffing attacks that went unnoticed for five months, from April 2023 to September 2023.

During the incident, the threat actors stole the data of 6.9 million customers, including their genetic ancestry information. Some of it was later offered for sale on the dark web, with the attackers leaking millions of genetic profiles as proof that the data was legitimate.

image

New York Attorney General Letitia James said on Tuesday that a multistate investigation launched after the incident was disclosed found that the company lacked basic safeguards against credential-based cyberattacks, such as password blocklisting or multifactor authentication, as well as adequate rate limiting, intrusion prevention, and breach-detection monitoring.

Investigators also discovered that 23andMe failed to address unusual login activity and fix known vulnerabilities. The company initially denied that a breach had occurred, then blamed the incident on customers' account and password practices, according to Attorney General James.

The settlement secures new security requirements at TTAM, including a data security advisory board, risk analysis protocols, and continued consumer rights to delete their data.

"Companies have a duty to protect their customers' personal information from hackers, but 23andMe put millions of its customers at risk with its flimsy security measures," James noted.

"New Yorkers trusted 23andMe with their sensitive and personal genetic data, only to find that data stolen and put up for sale on the dark corners of the internet. As a result of our coalition's action, 23andMe will pay for violating the law and strict rules will be put in place to protect their customers."

Class-action lawsuits, fines, and settlements

The 2023 data breach has also led to multiple class-action lawsuits, prompting 23andMe to amend its Terms of Use in November 2023 to make it harder to sue, claiming at the time that the changes were intended only to simplify the arbitration process.

In September 2024, the California-based genetic testing provider also agreed to pay $30 million to settle one proposed class action lawsuit over the 2023 data breach.

23andMe filed for Chapter 11 bankruptcy in March 2025, announcing plans to sell its assets after several years of financial struggles, which prompted James and the coalition to file related claims.

In June 2025, James and 27 other attorneys general sued to protect customers' genetic data during the bankruptcy proceedings. The same month, the UK Information Commissioner's Office (ICO) fined 23andMe £2.31 million ($3.12 million) over 'serious security failings' that led to the 'profoundly damaging' data breach in 2023.

Four months later, in July 2025, the TTAM Research Institute nonprofit (now reregistered as 23andMe Research Institute and led by 23andMe co-founder Anne Wojcicki) completed the acquisition of the DNA testing giant after agreeing to pay $305 million to acquire all its assets.

article image

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Read Entire Article