23andMe has reached an $18 million settlement with 42 US attorneys general following a significant data breach in 2023, which resulted from poor password management rather than an internal breach. Over six million customers' data was compromised. As part of the settlement, 23andMe will implement new data protection requirements and pay $705,000 to New York. The settlement follows the company's bankruptcy protection filing and the sale of customer data to TTAM Research.
NEW security measures include risk analysis and an Advisory Board for data security. The company has previously faced fines related to data protection failures in the US and Europe.