New York's Attorney General has secured an 18 million dollar settlement with the genetic testing company 23andMe, resolving allegations that the firm failed to protect the sensitive information of millions of its customers during a massive data breach. The agreement marks one of the more significant actions to date over the handling of genetic data, a category of personal information widely regarded as among the most sensitive a company can hold.
The case dates back to October 2023, when 23andMe announced a data breach that had compromised the accounts of a large share of its user base. According to the investigation, the incident affected nearly 7 million customers across the country, including more than 305,000 people in New York alone. For a company built around DNA analysis, the scale of the intrusion raised immediate concerns about how such intimate data had been safeguarded.
What made the breach particularly alarming was the nature of the information exposed. Investigators say the compromised data included a range of personal details, among them genetic ancestry information tied to individual users. Some of that information did not simply remain in the hands of the intruders: portions of it were later found offered for sale on the dark web, deepening the potential harm to those whose records had been taken.
The response to the breach stretched well beyond New York. Attorney General Letitia James pursued the matter as part of a multi-state investigation, joining forces with a bipartisan coalition of 42 other attorneys general. That broad alliance underscored how widely the breach had been felt and reflected a shared determination among state officials to hold the company accountable for the exposure of such sensitive records.
At the heart of the officials' findings was the conclusion that the breach had been preventable. According to the investigation, 23andMe had failed to put even basic cybersecurity measures in place. Investigators pointed to the absence of adequate safeguards against cyberattacks, a failure to detect suspicious login activity as it was happening, and a lack of proper testing of the company's own security systems, shortcomings that left the door open to intruders.
Those gaps are especially significant given the kind of data at stake. Unlike a password or a credit card number, genetic information cannot simply be reset or reissued once it has been exposed, which is part of why regulators have treated the case with particular seriousness. The settlement is intended both to penalise the failures that led to the breach and to signal that companies holding such data will be expected to protect it accordingly.
The 18 million dollar agreement brings a measure of closure to a case that has unfolded over more than a year and a half, from the initial disclosure of the breach to the coordinated legal effort that followed. For the millions of customers whose information was caught up in the incident, the settlement stands as an acknowledgement of the risks that came with entrusting deeply personal data to a private company, and of the responsibility that companies bear to keep it secure.
