1) The fact 23andMe (now Chrome Holding Co.) has agreed to pay $18 million to settle claims from a coalition of 43 US state attorneys general that it failed to protect customers' genetic data. The settlement imposes new security requirements, including a data security advisory board, risk analysis protocols, and continued consumer rights to delete their data. New York Attorney General Letitia James led the coalition calling the company's security measures "flimsy."
2) Context The original breach was disclosed in October 2023, following credential-stuffing attacks that went unnoticed for five months — from April to September 2023. A total of 6.9 million customers had their data stolen, including genetic ancestry information, some of which was later offered for sale on the dark web with millions of genetic profiles leaked as proof of validity. The multistate investigation found the company lacked basic safeguards: compromised password blocklisting, multifactor authentication, rate limiting, intrusion prevention, and breach-detection monitoring were all absent. Investigators also discovered that 23andMe failed to address unusual login activity and fix known vulnerabilities. The company initially denied a breach occurred and then blamed customers' password practices. 23andMe filed for Chapter 11 bankruptcy in March 2025 and was acquired for $305 million by TTAM Research Institute in July 2025.
3) Analysis This is a landmark case demonstrating how companies handling ultra-sensitive data can fail on the most basic cybersecurity protections. 23andMe's initial response — denying the breach and blaming customers — was a blatant responsibility-shifting attempt that the multistate investigation categorically rejected. The $18 million settlement, while significant in absolute terms, is small compared to the actual damage inflicted: genetic data is irrevocable and irreplaceable. Unlike passwords or credit cards that can be changed after a breach, a person's genetic information is unique, permanent, and immutable — once exposed, the privacy loss is permanent and irreversible. The US justice system has now consolidated $30 million from an earlier class-action settlement (September 2024) plus this $18 million multistate fine, totaling $48 million in financial penalties, in addition to £2.31 million from the UK ICO and the cost of the Chapter 11 bankruptcy proceedings and forced acquisition.
4) What to watch • The security advisory board and risk protocols could serve as a regulatory model for other companies handling genetic and biometric data. • The continued consumer right to delete data sets an important legal precedent for genetic privacy. • Biotech and healthcare companies must immediately review their security practices in light of this case. • The dark web sale of genetic data creates long-term risks for the 6.9 million affected individuals, including potential genetic discrimination by insurers or employers under future legal frameworks.
Source: BleepingComputer