Skip to main content
ComplianceData Protection

23andMe Agrees to $18m Settlement, New Data Security Mandates

Genetic testing lab with modern and traditional equipment, conveying scrutiny and security.

“Companies have a duty to protect their customers’ personal information from hackers, but 23andMe put millions of its customers at risk with its flimsy security measures,” said New York Attorney General Letitia James.

Settlement between Letitia James and a 42-state coalition

A coalition of 42 US attorneys general, led publicly by New York Attorney General Letitia James, reached an $18 million settlement with genetic testing firm 23andMe over a 2023 data breach. As part of the agreement, 23andMe will also pay more than $705,000 directly to New York, and the coalition secured binding data-protection commitments intended to secure customer information going forward.

The October 2023 credential-stuffing incident

In October 2023, 23andMe confirmed that customer profile information was accessed by cybercriminals after a credential stuffing campaign. The company said at the time that the incident was not the result of attackers penetrating 23andMe’s own network; instead, it attributed the compromise to customers’ poor password management and the lack of multi-factor authentication (MFA). Over six million individuals’ information, including ancestry data, was accessed in the breach.

Bankruptcy, litigation and the TTAM Research acquisition

23andMe filed for bankruptcy protection in March 2025. Attorney General James and the coalition filed claims related to the breach investigation, and in June 2025 James and a bipartisan group of 27 other attorneys general sued to protect Americans’ personal genetic information during the company’s bankruptcy. As a result of the bankruptcy process, 23andMe’s customer data was sold to TTAM Research, a nonprofit formed by 23andMe’s founder and former CEO Anne Wojcick.

Payouts, approvals and competing legal moves

  • The $18 million settlement with the 42-state coalition is separate from a $46.75 million settlement that a US bankruptcy judge approved on July 7 to compensate victims of the data breach.
  • Reporting by Reuters noted that on July 10 a bankruptcy judge held California cannot seek damages from 23andMe because of the company’s Chapter 11 reorganization plan; the judge gave California 14 days to either dismiss its May 28 lawsuit or amend the complaint to remove claims for monetary relief. That complaint was filed by the Attorney General of California, Rob Bonta, according to the Reuters report.
  • Regulatory penalties have extended overseas: in June 2025 the UK’s Information Commissioner’s Office fined 23andMe £2.3 million for failing to protect customers’ special category data, and in July 2026 the Spanish privacy watchdog fined the company €2.4 million ($2.75 million) after 2,642 customers in Spain were affected.

New security requirements imposed on TTAM Research

Attorney General James and the coalition secured a set of specific security and information-protection requirements to be applied at TTAM Research as the custodian of the sold data. The measures set out in the settlement include:

  • Implementing an appropriate risk analysis;
  • Adding an Advisory Board on data security;
  • Continuing to offer consumers the right to delete their information.

Those steps are intended to protect customers’ data and prevent future breaches under TTAM’s stewardship.

What this means for consumers, regulators, and security teams

  • Consumers: More than six million people whose data was exposed will see additional contractual commitments and a continued ability to delete their data; independent compensation channels also remain in place via the $46.75 million victims’ settlement approved by the bankruptcy judge.
  • Regulators and state attorneys general: The multistate coalition secured both monetary penalties and specific technical and governance controls, and a parallel judicial process in California continues to press adjustments to its complaint under a Chapter 11 framework.
  • Security teams at TTAM Research and similar custodians: The settlement mandates formal risk analysis and an advisory board focused on data security, putting governance and documented controls at the center of post-sale responsibilities.

Infosecurity has reached out to 23andMe regarding the $18 million settlement and the imposed security requirements. With multiple settlements and fines spanning US states and international regulators, and a recent court direction affecting California’s monetary claims, the immediate questions are procedural: how TTAM Research will implement the ordered protections, and whether California will amend or dismiss its complaint within the 14-day window the judge set. The settlements close one chapter on the 2023 breach, but they leave enforcement and operational compliance as the next test of whether the promised protections will prevent a repeat.

Original story