23andMe Faces $18 Million Settlement Over Data Breach Affecting 6.9 Million Users
Genetic testing giant **23andMe** has agreed to an $18 million settlement with a coalition of 42 state attorneys general following a significant data breach that exposed the sensitive genetic and ancestry information of 6.9 million users. The agreement mandates stringent new data protection measures and reaffirms customer rights to data deletion, highlighting critical cybersecurity failings that led to the incident.
A multi-state investigation has concluded with **23andMe** agreeing to an $18 million settlement. This follows a data breach in October 2023 that compromised the genetic ancestry data and personal information of 6.9 million individuals.
The settlement, spearheaded by a coalition of 42 state attorneys general, addresses multiple cybersecurity deficiencies identified within the company's infrastructure.
### Cybersecurity Failings Uncovered
According to a press release from the office of New York Attorney General **Letitia James**, **23andMe** initially denied the breach, then subsequently attributed blame to customers' account configurations and password practices. The investigation, however, revealed a series of critical security lapses.
These included a lack of protection against credential stuffing attacks, insufficient intrusion prevention measures, and a failure to implement adequate logging and monitoring systems for potential breaches. Furthermore, the company reportedly neglected to patch known vulnerabilities, probe atypical login patterns, or test new design features for security flaws.
### New Data Protection Mandates
The settlement imposes several new data protection requirements on **23andMe** and its successor, the **23andMe Research Institute**. These include:
* Undertaking regular risk assessments.
* Appointing a special board to oversee data security protocols.
* Ensuring customers retain the indefinite right to destroy their genetic samples and delete personal data.
### The Aftermath of the Breach
The October 2023 breach saw stolen data posted on the dark web. **23andMe** did not discover the breach until months after it occurred. The company later filed for bankruptcy protection in March 2025.
In June, a Missouri bankruptcy court approved a separate settlement, establishing a $47 million fund for victims of the breach.
### The **23andMe Research Institute** and Data Stewardship
In July 2025, the **Wojcicki**-led **23andMe Research Institute** (formerly **TTAM Research Institute**), a nonprofit public benefit corporation, acquired **23andMe**'s assets for $305 million. This acquisition included genetic data for customers who had not requested the destruction of their information.
The institute has committed to upholding **23andMe**'s existing privacy policy, which prohibits sharing data with employers, insurers, public databases, and law enforcement without a court order, subpoena, or search warrant. It will also continue the practice of sharing and selling de-identified customer data for biomedical research purposes.