23andMe Agrees to $18 Million Settlement Over 2023 Genetic Data Breach

23andMe Agrees to $18 Million Settlement Over 2023 Genetic Data Breach

By
Key Takeaways
  • 42-State Coalition Reaches Settlement: A coalition of 42 state attorneys general reached an $18 million settlement with 23andMe's bankruptcy trustee over the company's 2023 data breach affecting millions of consumers.
  • 6.9 Million Customers Affected: The breach compromised the information of 6.9 million customers worldwide, including genetic ancestry information in some cases, with portions of the stolen data later offered for sale on the dark web.
  • Investigation Identified Security Deficiencies: Attorneys general alleged that 23andMe failed to implement reasonable security measures, including safeguards against credential stuffing attacks, multifactor authentication, adequate monitoring, and other basic cybersecurity controls.
  • Settlement Comes Through Bankruptcy: The agreement will be paid from available bankruptcy funds following 23andMe's March 2025 bankruptcy filing and is separate from a $46.75 million class-action settlement for affected U.S. consumers.
  • Consumer Protections Continue Under New Data Owner: The bankruptcy sale of 23andMe's consumer data to TTAM Research Institute includes enhanced security requirements, privacy obligations, an advisory board, and continued consumer data deletion rights.
Deep Dive

The legal fallout from 23andMe's 2023 data breach is now colliding with the company's bankruptcy proceedings. A coalition of 42 state attorneys general announced Tuesday that it has reached an $18 million settlement with the bankruptcy trustee for 23andMe, resolving allegations that the genetic testing company failed to implement reasonable safeguards before a breach that exposed the information of 6.9 million customers worldwide.

The settlement, which will be paid immediately from available bankruptcy funds, comes more than two years after 23andMe disclosed that attackers had gained access to customer accounts and obtained a broad range of personal information, including genetic ancestry information in some cases. Investigators said portions of the stolen data later appeared for sale on the dark web.

The agreement is separate from a $46.75 million class-action settlement reached in the bankruptcy case for affected U.S. consumers who submitted claims by Feb. 17, 2026.

"Consumers have a right to expect that the companies entrusted with their most personal information will protect it," the coalition said through Massachusetts Attorney General Andrea Joy Campbell, whose office announced the settlement. Campbell said the agreement reinforces security requirements for the remaining 23andMe data, preserves consumers' ability to delete their information, and makes clear that companies cannot cut corners when handling sensitive personal data.

A Breach Investigators Say Should Have Been Harder to Pull Off

The multistate investigation concluded that 23andMe failed to implement a series of security measures that could have reduced the likelihood or impact of the credential stuffing attack that compromised millions of accounts.

According to the attorneys general, the company did not compare customer passwords against databases of known compromised credentials or require multifactor authentication. Investigators also alleged that 23andMe failed to limit repeated login attempts, implement logging and monitoring capable of detecting suspicious activity, investigate unusual spikes in login attempts, remediate known vulnerabilities, and properly review and test design features.

The investigation also scrutinized the company's response after customer information began circulating publicly. According to the coalition, 23andMe learned of the credential stuffing attack months after affected consumer information had already become publicly available. The company initially denied that a breach had occurred and, after confirming the incident, initially attributed the compromise to customers' account configurations and password practices despite knowing that a 2017 breach involving its former partner, MyHeritage, had likely already exposed credentials belonging to many users.

Bankruptcy Changed the Course of the Case

The investigation was overtaken by events in March 2025, when 23andMe filed for bankruptcy protection. The participating states subsequently filed claims as part of the bankruptcy proceedings, ultimately reaching the settlement announced this week. Those proceedings also determined the future of one of the company's most valuable assets: its vast collection of consumer genetic data.

As part of the bankruptcy sale, that data was transferred to TTAM Research Institute, a nonprofit established by 23andMe's founder and former chief executive officer. The sale included conditions requiring enhanced data security measures, appropriate risk analyses, the creation of an advisory board, compliance with comprehensive privacy laws, and the continued availability of consumer data deletion rights.

The coalition said those protections largely reflect the obligations states would likely have sought through a direct settlement had the bankruptcy not intervened, while helping ensure that the new custodian of the data maintains stronger privacy and security safeguards going forward.

The attorneys general also noted that genetic information receives legal protections beyond general consumer privacy statutes in many jurisdictions. Massachusetts, for example, has a genetic privacy law that prohibits commercial genetic testing companies from disclosing genetic information records without informed written consent.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

Oops! Something went wrong