Government

PA Attorney General Settles After 23AndMe Data Breach

Earlier this week, Pennsylvania Attorney General Dave Sunday along with 42 other states announced a $18 million bankruptcy settlement.

Pennsylvania Attorney General Dave Sunday holding a press conference in Harrisburg on June 26, 2025.
Credit: PA Internet News Service

Earlier this week, Pennsylvania Attorney General Dave Sunday along with 42 other states announced a $18 million bankruptcy settlement with genetic testing company 23andme over a data breach that affected thousands of Pennsylvania residents.

Advertisements

In the case, Pennsylvania will be awarded just over $490,000 as nearly 200,000 customers in the state were impacted by the breach. 

The breach was first discovered by the California based company in October of 2023.

Nearly seven million customers were affected nationally and the breach included a variety of sensitive information for customers including genetic information that was later published on the dark web. 

Advertisements


After the breach was first discovered, 23andMe initially denied it and attributed the leak to its customers and how their accounts may have been set up.

The tactic used by the breachers is called “credential stuffing,” which is when a password found from another website is used to log into another account. 

Advertisements

In the press release, Sunday said, “This company was trusted by millions of Americans to safeguard very private data and information, but failed to do so, learning about a data breach far too late, then pointing fingers at their own customers.” “I find it appalling that a company dealing with customers’ personal information would be so lax about their system protections, then have the audacity to deny and attempt to wash their hands of wrongdoing.” 

After the data breach was discovered, Sunday’s office started an investigation that found that 23andMe engaged in a list of impracticable security practices, including “failing to employ safeguards against credential stuffing attacks, including comparing passwords against blocklists of known breached passwords, or requiring multifactor authentication.” 

23andMe’s consumer data was later sold to TTAM Research institute as a part of bankruptcy. The institute is a nonprofit.

Advertisements


According to the press release, the terms of the sale will “ensure that TTAM Research Institute, now reregistered as 23andMe Research Institute, will be a safer custodian of genetic data moving forward.” 

About the author

Stephen Zaglin

Stephen Zaglin is a student based in Bucks County, Pennsylvania. He has written stories for his University’s school newspaper and has experience in gamers, feature stories, and interviews. Stephen’s main interest is in sports and that is what he has mostly covered, but he is looking forward to learning about other topics and writing other types of stories.