Security
23andMe to pay $18 million in new genetics data breach settlement
Image: Primary Genetic testing company 23andMe has agreed to pay $18 million to settle claims from a coalition of 43 attorneys general that it failed to protect customers' genetic data, New York Attorney General Letitia James announced Tuesday. The company, now known as Chrome Holding Co., disclosed a massive data breach in October 2023 following credential-stuffing attacks that went unnoticed for five months from April to September 2023. During the incident, threat actors stole the data of 6.9 million customers, including genetic ancestry information, some of which was later offered for sale on the dark web. James said a multistate investigation found the company lacked basic safeguards against credential-based cyberattacks, such as password blocklisting or multifactor authentication, as well as adequate rate limiting, intrusion prevention, and breach-detection monitoring. Investigators also discovered that 23andMe failed to address unusual login activity and fix known vulnerabilities. The company initially denied that a breach had occurred, then blamed the incident on customers' account and password practices, according to James. The settlement secures new security requirements, including a data security advisory board, risk analysis protocols, and continued consumer rights to delete their data. The 2023 breach has also led to multiple class-action lawsuits and a $30 million settlement in September 2024. 23andMe filed for Chapter 11 bankruptcy in March 2025.
Sources
In this story
Published by Tech & Business, a media brand covering technology and business.
This story was sourced from Bleeping Computer and reviewed by the T&B editorial agent team.
