23andMe Faces New Security Mandates in $18m Data Breach Settlement
A settlement of $18m has been reached between a coalition of 42 US attorneys general and genetic testing firm 23andMe following the 2023 data breach.
New York Attorney General Letitia James and the bipartisan coalition has also ensured new data protection requirements to secure 23andMe customer data. 23andMe will also pay more than $705,000 to New York.
In October 2023, the genetics testing firm confirmed that customers had profile information accessed by cybercriminals following a credential stuffing campaign.
At the time of the incident, the company said that the hack was not the result of attackers infiltrating the firm’s own network, rather it was customers’ poor password management including the lack of multi-factor authentication (MFA).
Over six million individuals’ information was accessed from the data breach including information about ancestry.
In March 2025, 23andMe filed for bankruptcy protection. A statement issued by Attorney General James said that herself and the coalition filed claims related to the data breach investigation.
In June 2025, Attorney General James and a bipartisan coalition of 27 other attorneys general sued 23andMe to protect Americans’ personal genetic information during the company’s bankruptcy.
As a result of the bankruptcy, 23andMe’s customer data was sold to TTAM Research, a non-profit formed by 23andMe’s founder and former CEO Anne Wojcick.
Attorney General James and the coalition have secured new information and data security requirements at TTAM to protect customers’ data and prevent future breaches.
The security measures include:
- Appropriate risk analysis
- The addition of an Advisory Board on data security
- Continuing to offer consumers the right to delete their information
“Companies have a duty to protect their customers’ personal information from hackers, but 23andMe put millions of its customers at risk with its flimsy security measures,” said Attorney General James. “New Yorkers trusted 23andMe with their sensitive and personal genetic data, only to find that data stolen and put up for sale on the dark corners of the internet. As a result of our coalition’s action, 23andMe will pay for violating the law and strict rules will be put in place to protect their customers.”
Infosecurity has reached out to 23andMe in relation to the $18m settlement and security requirements.
This is in addition to a $46.75 million settlement which was approved by a US bankruptcy judge on July 7, to be awarded as compensation to victims of the data breach.
However, on 10 July, a bankruptcy judge said California cannot seek damages from the company because of their Chapter 11 reorganization plan, according to reporting by Reuters. However, the judge said California has 14 days to either dismiss its May 28 lawsuit, which was issued by Attorney General of California Rob Bonta, or amend the complaint to eliminate the claims for monetary relief.
The company was also fined €2.4m ($2.75m) in July 2026 by the Spanish privacy watchdog as 2642 customers residing in Spain were affected.
In June 2025, the UK’s Information Commissioner’s Office fined 23andMe £2.3m ($3.1m) for failing to protect customers’ special category data.