23andMe to pay $18 million in new genetics data breach settlement
Genetic testing company 23andMe has agreed to pay $18 million to settle claims from a coalition of 43 attorneys general that it failed to protect customers' genetic data. The company disclosed a massive data breach in October 2023, following credential-stuffing attacks th…
Intelligence analysis by Llama

23andMe has agreed to pay $18 million to settle claims from a coalition of 43 attorneys general that it failed to protect customers' genetic data. The company disclosed a massive data breach in October 2023, following credential-stuffing attacks that went unnoticed for five months.
Imagine you have a super powerful computer that can look at your DNA and tell you lots of things about your health and ancestry. But, if someone breaks into that computer and steals your DNA information, it could be used to hurt you or your family. That's what happened to 23andMe, a company that helps people look at their DNA. They had to pay $18 million to fix the problem and make sure it doesn't happen again.
Analysis
A $60B Vote of Confidence
The recent settlement between 23andMe and a coalition of 43 attorneys general is a significant development in the world of genetics and data security. The company has agreed to pay $18 million to settle claims that it failed to protect customers' genetic data. This settlement is a result of a multistate investigation launched after the incident was disclosed in October 2023.
The investigation found that 23andMe lacked basic safeguards against credential-based cyberattacks, such as password blocklisting or multifactor authentication, as well as adequate rate limiting, intrusion prevention, and breach-detection monitoring. Investigators also discovered that 23andMe failed to address unusual login activity and fix known vulnerabilities.
The company initially denied that a breach had occurred, then blamed the incident on customers' account and password practices. However, the settlement secures new security requirements at 23andMe, including a data security advisory board, risk analysis protocols, and continued consumer rights to delete their data.
Why Credential-Stuffing Attacks Are a Growing Concern
Credential-stuffing attacks are a growing concern in the world of data security. These attacks involve using automated tools to try a large number of usernames and passwords to gain unauthorized access to a system or network. In the case of 23andMe, the attackers were able to steal the data of 6.9 million customers, including their genetic ancestry information.
The attackers later offered the data for sale on the dark web, with millions of genetic profiles leaked as proof that the data was legitimate. This highlights the importance of protecting customers' sensitive and personal data from hackers.
The Road Ahead
The settlement between 23andMe and the coalition of attorneys general is a significant step forward in protecting customers' genetic data. However, it also highlights the need for companies to prioritize data security and protect their customers' sensitive and personal information.
In the road ahead, companies like 23andMe must prioritize data security and implement robust safeguards against credential-based cyberattacks. This includes implementing multifactor authentication, rate limiting, intrusion prevention, and breach-detection monitoring.
Additionally, companies must also prioritize transparency and communication with their customers. This includes being open and honest about data breaches and taking steps to protect customers' sensitive and personal information.
Key points
- 23andMe has agreed to pay $18 million to settle claims from a coalition of 43 attorneys general that it failed to protect customers' genetic data.
- The company disclosed a massive data breach in October 2023, following credential-stuffing attacks that went unnoticed for five months.
- The investigation found that 23andMe lacked basic safeguards against credential-based cyberattacks, such as password blocklisting or multifactor authentication.
- The company has implemented new security requirements, including a data security advisory board, risk analysis protocols, and continued consumer rights to delete their data.
The settlement between 23andMe and the coalition of attorneys general is a positive step forward in protecting customers' genetic data. The new security requirements implemented by 23andMe, including a data security advisory board, risk analysis protocols, and continued consumer rights to delete their data, will help to prevent similar breaches in the future.
The recent data breach at 23andMe highlights the risks associated with storing sensitive and personal genetic data. The attackers were able to steal the data of 6.9 million customers, including their genetic ancestry information, and later offered it for sale on the dark web. This highlights the need for companies to prioritize data security and protect their customers' sensitive and personal information.



