Advertisement
Security

23andMe Settles Data Privacy Claims

A multi-state settlement highlights the massive fallout from a 2023 breach that exposed sensitive genetic data for millions of customers.

··1 hour ago·2 min read
red and black love lock
Photo by FlyD on Unsplash
Advertisement

The security failures at 23andMe have culminated in an $18 million settlement with a coalition of 43 attorneys general. This resolution arrives after a protracted investigation into how the genetic testing firm handled the exposure of deeply sensitive customer information during a series of credential-stuffing attacks.

Neglected Safeguards Exposed

The investigation, led by New York Attorney General Letitia James, revealed significant lapses in the firm’s defense architecture. Investigators found that the organization lacked foundational security controls, including basic multifactor authentication and effective rate limiting. Furthermore, the company failed to implement sufficient breach-detection monitoring, allowing unauthorized access to persist for months.

Companies have a duty to protect their customers' personal information from hackers, but 23andMe put millions of its customers at risk with its flimsy security measures.

— Letitia James, New York Attorney General

A History of Data Exposure

The breach originated from attacks occurring between April 2023 and September 2023, resulting in the theft of data from 6.9 million customers. The fallout was substantial, with stolen genetic profiles appearing for sale on the dark web. Initially, the company attempted to shift blame onto user password practices rather than addressing its own internal vulnerability management.

  • The firm agreed to pay $18 million in the latest multistate settlement.
  • Credential-stuffing attacks went unnoticed from April 2023 to September 2023.
  • A total of 6.9 million customer records were compromised.
  • The company previously agreed to pay $30 million for a separate class-action lawsuit.
  • The UK ICO fined the firm £2.31 million for its security failings.
  • The company was eventually acquired for $305 million in July 2025.

Regulatory and Legal Reckoning

The aftermath of the 2023 incident forced the company to navigate a complex landscape of multiple class-action lawsuits and amend its Terms of Use in an effort to curb litigation. Despite these efforts, the company faced Chapter 11 bankruptcy proceedings in March 2025. The eventual sale to the TTAM Research Institute included strict new security requirements, mandating the creation of a data security advisory board and formal risk analysis protocols.

Implications for Genetic Privacy

The case underscores the extreme risk profile of biometric and genetic databases. For consumers, the permanent nature of genetic data means that once such information is leaked, it cannot be reset like a password. For businesses, the 23andMe saga serves as a reminder that shifting blame for credential-based attacks is rarely an effective defense against regulatory scrutiny. Organizations holding highly sensitive personal data must prioritize proactive testing to ensure that security layers are functional before an incident occurs, as the long-term cost of failure—measured in millions of dollars and lost trust—far exceeds the investment required for robust protection.

#data breach#genetics#privacy#cybersecurity#settlement

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement