23andMe Settles Multistate Claims for $18 Million After Data Breach
23andMe reached an $18 million settlement with 42 states and D.C. to resolve claims from a 2023 breach affecting 6.9 million customers.
A coalition of 42 states and the District of Columbia reached an $18 million settlement with the bankruptcy trustee of 23andMe to resolve claims stemming from an October 2023 cyberattack. The breach compromised the genetic ancestry information of approximately 6.9 million customers globally, particularly affecting users of Ashkenazi Jewish and Chinese descent. While state claims totaled $150 million, the company's March 2025 bankruptcy filing limited available recovery funds to $18 million.
Investigations revealed the company employed unreasonable security practices, including a failure to implement multifactor authentication and a lack of monitoring for credential-stuffing attacks. In addition to the multistate agreement, 23andMe agreed to a separate $46.75 million class-action settlement for affected U.S. consumers. Since the attack, the company has implemented mandatory two-factor authentication for its users.
As part of the bankruptcy proceedings, 23andMe's consumer data assets were sold to the TTAM Research Institute, a non-profit formed by founder Anne Wojcicki. The new data custodian is legally bound by enhanced security and privacy requirements, ensuring compliance with state laws and the preservation of consumer deletion rights. Attorneys general from various states, including Pennsylvania, Illinois, and Arizona, criticized the company for its lax security and for attempting to blame customers following the breach.