23andMe settlement: Georgia joins 42-state alliance over data breach

Chris Carr/State of Georgia website

A massive network of 42 attorneys general just finalized an $18 million immediate settlement with 23andMe's bankruptcy trustee following a sweeping 2023 cyberattack that compromised the genetic data of 6.9 million customers globally, Georgia Attorney General Chris Carr announced July 14.

Corporate safeguards fail

What we know:

The devastating October 2023 breach exposed highly sensitive genetic ancestry information for millions of people, including 171,125 individuals in Georgia. Subsets of this stolen information were later published for sale on the dark web.

A multistate investigation revealed the direct-to-consumer genetic testing company used unreasonable data security practices. Investigators found the company failed to use safeguards against credential stuffing attacks, did not require multifactor authentication, skipped password blocklists and ignored a massive spike in login attempts. Furthermore, company officials initially denied the incident occurred and later blamed consumers' password habits, despite knowing a partner website had been compromised years earlier.

The company filed for bankruptcy protection in March 2025, leading states to file formal claims. While the initial settlement allowed for $150 million in claims, the finite bankruptcy estate capped the immediate payout at $18 million, with Georgia receiving $452,232. A separate $46.75 million class-action settlement was established for U.S. consumers who submitted claims by Feb. 17.

Future custody concerns

What we don't know:

Officials have not yet confirmed how many total consumers will ultimately receive payouts from the separate class-action fund. It also remains unclear exactly how many unauthorized users purchased or downloaded the stolen genetic profiles while they were floating around the dark web.

New corporate ownership

The backstory:

During the bankruptcy proceedings, 23andMe's assets—including its massive trove of consumer data—were sold to the TTAM Research Institute, a non-profit group formed by company founder Anne Wojcicki. The entity has since reregistered as the 23andMe Research Institute.

To serve as a safer custodian of genetic profiles moving forward, the new owners are legally bound by strict data security mandates. The terms of the sale force the institute to implement rigorous risk analysis, add an independent Advisory Board, follow comprehensive privacy laws without exception and uphold deletion rights.

Erasing personal profiles

What you can do:

If you want to pull your genetic data from the database completely, you can log into your account at 23andMe.com. Click your profile in the top right corner, select "Settings" and scroll down to the "23andMe Data" section.

From there, you can optionally request a download of your files, which takes up to 30 days. To finalize the process, click the red "Permanently Delete Data" button, open the confirmation email with the subject line "23andMe Delete Account Request" and click "Permanently Delete All Records." Your account will remain active unless you complete that final email step.

The Source: The information in this story was gathered from Georgia Attorney General Chris Carr, who issued an official public statement detailing the multi-state settlement agreement, as well as archival corporate records regarding the 23andMe bankruptcy proceedings.

ScienceCrime and Public SafetyConsumerNewsGeorgia