North Carolina to receive more than $666,000 in 23andMe data breach settlement
North Carolina will receive $666,242 through an $18 million multistate settlement resolving claims tied to a 2023 breach that exposed genetic and personal information belonging to millions of 23andMe customers.
North Carolina will receive more than $666,000 as part of an $18 million multistate settlement resolving claims related to 23andMe’s 2023 data breach, Attorney General Jeff Jackson announced Tuesday.
The settlement was reached with the bankruptcy trustee for 23andMe and addresses a breach that compromised information belonging to 6.9 million customers worldwide, according to the North Carolina Department of Justice.
North Carolina’s share of the settlement is $666,242.
The breach exposed customer information that included genetic ancestry data. According to the Department of Justice, an investigation found that 23andMe took months to detect a credential-stuffing attack, in which hackers use previously stolen usernames and passwords to gain access to accounts where customers reused login credentials.
The state said some stolen information was later offered for sale on the dark web.
Attorney General Jeff Jackson said the settlement was intended to hold the company accountable for protecting highly sensitive information.
“Your genetic data is the most personal data you have,” Jackson said. “23andMe failed to protect it for millions of people.”
The settlement follows a broader multistate investigation into the breach and the company’s data-security practices.
According to the Department of Justice, investigators found that 23andMe should have taken earlier measures to prevent or detect breaches, including monitoring for unusual login activity and addressing security vulnerabilities.
The company later filed for bankruptcy and sought to sell assets that included genetic information collected from more than 15 million customers. Jackson joined a multistate legal effort seeking to prevent the transfer of customers’ genetic information without their consent.
The Department of Justice said protections were ultimately secured to keep the genetic data with TTAM Research Institute, a nonprofit organization created by one of 23andMe’s co-founders, rather than transferring it to a for-profit third party.
Additional safeguards include stronger data-security requirements, regular risk assessments and continued rights for consumers to delete their genetic information, according to the state.
Separately, 23andMe will pay $46.75 million through a class-action settlement for eligible U.S. consumers affected by the breach who submitted claims by the Feb. 17, 2026, deadline.
North Carolina joined attorneys general from more than 40 states and the District of Columbia in reaching the multistate settlement.
Editor’s note: This article was drafted with the assistance of artificial intelligence and was reviewed and fact-checked by a member of the NC Political News editorial team before publication.

