23AndMe multistate genetic-data settlement and ICO fine
Regulatory/Legal Action
Summary
Hide ▲
Show ▼
23andMe agreed to pay $18 million to settle multistate claims over its failure to protect customers' genetic data, extending the legal fallout from the 2023 breach. Regulators said the company lacked basic safeguards such as multifactor authentication, password blocklisting, rate limiting, intrusion prevention, and breach-detection monitoring. The settlement also adds new security requirements, including a data security advisory board and risk analysis protocols. A separate UK ICO fine of £2.31 million adds further regulatory pressure over the same security failures.
Related Happenings
23AndMe hit by network compromise
Incident
H score73
First: 16.07.2026 16:47
Last: 16.07.2026 16:47
Sources 1
How related:
23andMe disclosed a massive data breach in October 2023, following credential-stuffing attacks that went unnoticed for five months, from April 2023 to September 2023.
About this happening:
23andMe disclosed a credential-stuffing breach that exposed data on 6.9 million customers, including genetic ancestry information. The unauthorized access ran from A...
23AndMe hit by network compromise
IncidentHow related: 23andMe disclosed a massive data breach in October 2023, following credential-stuffing attacks that went unnoticed for five months, from April 2023 to September 2023.
About this happening: 23andMe disclosed a credential-stuffing breach that exposed data on 6.9 million customers, including genetic ancestry information. The unauthorized access ran from A...
NHS awareness campaign and guidance on unauthorized patient-data access
Public Sector Action
H score8
First: 10.07.2026 12:00
Last: 10.07.2026 12:00
Sources 1
About this happening:
The NHS launched a new awareness-raising campaign and guidance to curb unauthorized access to patient data across staff and healthcare organizations. The initi...
NHS awareness campaign and guidance on unauthorized patient-data access
Public Sector ActionAbout this happening: The NHS launched a new awareness-raising campaign and guidance to curb unauthorized access to patient data across staff and healthcare organizations. The initi...
ICO formal caution in Princess of Wales records case
Regulatory/Legal Action
H score28
First: 18.06.2026 17:45
Last: 18.06.2026 17:45
Sources 1
About this happening:
The ICO issued a formal caution to a former London healthcare professional under section 170(5) after reviewing prosecution criteria in a case involving the Prin...
ICO formal caution in Princess of Wales records case
Regulatory/Legal ActionAbout this happening: The ICO issued a formal caution to a former London healthcare professional under section 170(5) after reviewing prosecution criteria in a case involving the Prin...
ICO releases five-step AI cyber guidance
Public Sector Action
H score18
First: 14.05.2026 12:00
Last: 14.05.2026 12:00
Sources 1
About this happening:
The UK Information Commissioner’s Office (ICO) released a five-step guide urging organizations to prepare for AI-powered cyber threats, making it clear that stronger r...
ICO releases five-step AI cyber guidance
Public Sector ActionAbout this happening: The UK Information Commissioner’s Office (ICO) released a five-step guide urging organizations to prepare for AI-powered cyber threats, making it clear that stronger r...
ICO fine against South Staffordshire Water for data breach
Regulatory/Legal Action
H score69
First: 12.05.2026 11:30
Last: 12.05.2026 11:30
Sources 1
About this happening:
The ICO finalized a nearly £1m penalty against South Staffordshire Water and South Staffordshire PLC, resolving a cyber enforcement action tied to a breach that ex...
ICO fine against South Staffordshire Water for data breach
Regulatory/Legal ActionAbout this happening: The ICO finalized a nearly £1m penalty against South Staffordshire Water and South Staffordshire PLC, resolving a cyber enforcement action tied to a breach that ex...
Timeline
-
16.07.2026 16:47 2 articles · 1h ago
23andMe agrees to $18 million multistate settlement over genetic data protections
Legal Policy Action Update23andMe agrees to pay $18 million to settle claims from a coalition of 43 attorneys general over failure to protect customers' genetic data, after the 2023 breach exposed data on 6.9 million customers and investigators cited missing multifactor authentication, password blocklisting, rate limiting, intrusion prevention, and breach-detection monitoring. The settlement also adds a data security advisory board, risk analysis protocols, and continued consumer rights to delete their data.
Show sources
- 23andMe to pay $18 million in new genetics data breach settlement — www.bleepingcomputer.com — 16.07.2026 16:47
- 23andMe to pay $18 million in new genetics data breach settlement — www.bleepingcomputer.com — 16.07.2026 16:47