Attorney General Jennifer Davenport Announces Multistate Settlement of Bankruptcy Claims Against 23andMe Over Genetic Data Breach


TRENTON
– Attorney General Jennifer Davenport today joined a bipartisan coalition of 42 attorneys general in announcing a settlement with the bankruptcy trustee for 23andMe, resolving allegations stemming from a 2023 data breach that compromised the genetic data of nearly 150,000 customers in New Jersey and affected 6.9 million people worldwide.

The settlement includes $150 million in allowed claims for states. Due to the finite amount of funds in the bankruptcy estate and numerous other claims, recovery is limited to $18 million but will be paid out of available bankruptcy funds immediately. Of the $18 million available to the states, New Jersey will receive nearly $410,000.

In addition, 23andMe also agreed to a $46.75 million class-action settlement in the bankruptcy to provide relief to affected U.S. consumers who submitted claims by February 17, 2026.

“For years, 23andMe took advantage of New Jerseyans and put their most sensitive data at risk. 23andMe obtained people’s DNA, failed to keep that sensitive genetic information secure, and then failed to tell consumers when a data breach occurred,” said Attorney General Davenport. “Today’s settlement holds 23andMe accountable for its misleading statements and its failure to protect the DNA profiles of customers. We will always stand on your side against corporations that mislead the public and endanger your privacy.”

“Preventing a data breach is always better than letting one occur, especially when it comes to DNA data, the most sensitive type of information out there,” said Jeremy E. Hollander, Acting Director of the Division of Consumer Affairs. “As today’s settlement underscores, companies must act to protect consumers from a leak of their personal information.”

In October 2023, direct-to-consumer genetic testing company 23andMe announced that it had discovered a data breach affecting 6.9 million consumers, including 148,585 in New Jersey. This data breach exposed a wide range of data about 23andMe customers, including in some cases genetic ancestry information, and subsets of this data were subsequently published for sale on the dark web.

23andMe learned about the breach months after impacted personal information was publicly available. 23andMe first denied any breach had occurred. Then, once it confirmed the breach, it blamed consumers for how their accounts were set up or how passwords were used. 23andMe initially accepted no responsibility for the breach, which was particularly egregious considering 23andMe’s partnership with MyHeritage, which itself was compromised years prior to the breach, exposing thousands of credentials shared between the websites.

In the immediate aftermath of the data breach, the attorneys general launched a multistate investigation and found that 23andMe engaged in unreasonable data security practices, including, but not limited to:

  • Failing to employ safeguards against credential stuffing attacks, meaning attacks in which the hackers use stolen usernames and passwords, including by failing to compare passwords against blocklists of known breached passwords or require multifactor authentication;
  • Failing to implement appropriate rate limiting or intrusion prevention, which are processes designed to block automated data theft or credential stuffing attacks;
  • Failing to implement logging and monitoring or other tools likely to detect a data breach;
  • Failing to appropriately investigate and/or address unusual login patterns, including, for example, a massive spike in login attempts;
  • Failing to remediate known vulnerabilities; and
  • Failing to properly review and test design features.

In March 2025, 23andMe filed for bankruptcy protection, and states subsequently filed claims related to the data breach investigation. As part of the bankruptcy proceedings, the assets – including 23andMe’s consumer data – were sold to TTAM Research Institute, a nonprofit formed by 23andMe founder and former CEO Anne Wojcicki.

The terms of the sale included many information and data security requirements that likely would have been included in a settlement with 23andMe had it not filed for bankruptcy. Such terms included enhanced data security requirements, appropriate risk analysis, the addition of an advisory board, agreeing to be bound by comprehensive privacy laws without exception, and continuing to offer consumer deletion rights. These terms will ensure that TTAM Research Institute, now reregistered as 23andMe Research Institute, will be a safer custodian of genetic data moving forward.

Attorney General Davenport joined the attorneys general of Alaska, Alabama, Arkansas, Arizona, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Idaho, Iowa, Illinois, Indiana, Kansas, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Michigan, Minnesota, North Carolina, North Dakota, New Hampshire, New Mexico, New York, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Vermont, Washington, Wisconsin, and West Virginia in today’s settlement.

The State was represented in this matter by Deputy Attorneys General Mehnaz Rahim and Ethan B. Rubin, under the supervision of Data Privacy & Cybersecurity Section Chief Thomas Huynh and Assistant Attorney General Kashif T. Chand, within the Affirmative Civil Enforcement Practice Group of the Division of Law. Investigator Aziza Salikhova of the Office of Consumer Protection within the Division of Consumer Affairs conducted the investigation.

More News from Raritan
I'm interested
I disagree with this
This is unverified
Spam
Offensive