Genetic testing company 23andMe has agreed to an $18 million settlement with 43 state attorneys general over failure to protect customer genetic data.
The settlement resolves allegations that 23andMe inadequately safeguarded sensitive genetic information. The company failed to implement reasonable security measures, leaving customer DNA profiles and ancestry data vulnerable to unauthorized access.
The breach exposed millions of users' genetic information, raising concerns about privacy and data protection in the biotech industry. Regulators argued the company did not adequately warn customers about security risks or obtain proper consent for data handling practices.
23andMe operates one of the largest consumer genetic databases globally. The company has faced increasing scrutiny over data privacy practices as genetic testing becomes more mainstream. This settlement marks one of the largest penalties against a direct-to-consumer genetics company.
The $18 million will be distributed among the states involved in the settlement. Additionally, 23andMe agreed to strengthen its security protocols and implement enhanced data protection measures going forward.
Traditional security workflows designed for human-speed operations are inadequate for AI agents, requiring organizations to rebuild defenses around live identity foundations and customizable threat responses.
Two members of the Scattered Spider cybercrime collective have been sentenced to five years and six months in prison each for a 2024 cyberattack that disrupted Transport for London.
Russian threat actor UAT-11795 is distributing trojanized versions of popular video conferencing apps to deploy Starland, a new backdoor capable of stealing credentials and cryptocurrency.
A new ransomware group called Spirals has demonstrated rapid attack capabilities, completing full network encryption within a single day. The threat actor moved from initial access through data theft to encryption faster than most ransomware operations.