23andMe Inherits Lawsuit over 'Disturbing' DNA Data Breach

The 2023 breach at 23andMe revealed a systemic weakness in how consumer genetics firms protect sensitive data. While only 14,000 accounts were directly compromised, the company's DNA Relatives feature amplified the impact, allowing a hacker known as Golem to infer information on nearly 7 million users. This exposure included family histories, health conditions, and ethnic ancestry—details that are uniquely identifying and highly valuable on the dark web. The incident highlights the risk inherent in linking genetic databases, where a single credential‑stuffing attack can cascade into a massive privacy violation.

Regulators have responded with a cascade of enforcement actions. California's attorney general filed a lawsuit accusing the firm of violating state privacy statutes and misleading customers about the breach’s severity. Across the Atlantic, the UK Information Commissioner imposed a £2.3 million (about $3.1 million) fine for inadequate password policies and delayed detection. In the United States, a $30 million class‑action settlement was reached in 2024. These penalties signal that lawmakers view genetic data as a protected class of personal information, and they are prepared to levy substantial fines when companies fall short of basic security measures such as mandatory two‑factor authentication.

The fallout has prompted a structural shift: TTAM Research Institute, now operating as the 23andMe Research Institute, claims a charitable, nonprofit mission and distances itself from the commercial entity’s liabilities. However, the brand continues to offer consumer testing without enforced MFA, leaving a security gap. Industry observers expect tighter regulations and a push for industry‑wide standards, including default MFA, regular security audits, and transparent breach reporting. Companies that fail to adapt risk not only legal exposure but also a loss of consumer confidence, which could slow the rapid growth of direct‑to‑consumer genomics services.