Genetic testing company 23andMe, now operating as Chrome Holding Co., has agreed to pay $18 million to settle claims brought by a coalition of 43 US attorneys general over allegations that it failed to adequately protect customers’ sensitive genetic data.
The settlement stems from a 2023 data breach caused by credential-stuffing attacks that went undetected for five months, between April and September 2023. The breach was publicly disclosed in October 2023 after attackers stole data belonging to 6.9 million customers, including genetic ancestry information. Some of the stolen data was later offered for sale on the dark web, with millions of genetic profiles leaked to prove its authenticity.
A multistate investigation found that 23andMe lacked essential cybersecurity protections, including multi-factor authentication (MFA), password blocklisting, rate limiting, intrusion prevention, and effective breach detection systems. Investigators also concluded that the company failed to respond to suspicious login activity and did not address known security vulnerabilities.
According to New York Attorney General Letitia James, the company initially denied that a breach had occurred before later attributing the incident to customers’ password practices.
As part of the settlement, 23andMe must implement stronger cybersecurity measures, including establishing a data security advisory board, conducting regular risk assessments, and preserving customers’ right to permanently delete their genetic data.
The breach has already triggered multiple legal actions. In September 2024, the company agreed to pay $30 million to settle a proposed class-action lawsuit related to the same incident. It also revised its Terms of Use in late 2023, making it more difficult for customers to pursue lawsuits.
Following years of financial difficulties, 23andMe filed for Chapter 11 bankruptcy in March 2025, prompting additional legal action aimed at protecting customers’ genetic information during the bankruptcy process.
In June 2025, a coalition of attorneys general sued to safeguard customer data, while the UK Information Commissioner’s Office (ICO) fined the company £2.31 million ($3.12 million) over serious security failures linked to the breach.
Later in July 2025, the 23andMe Research Institute, led by co-founder Anne Wojcicki, completed the acquisition of the company’s assets in a $305 million deal.
Leave a comment