South Dakota to Receive $149,399 in Bankruptcy Settlement with 23andMe

Attorney General Marty Jackley  says South Dakota will receive $149,399 from the bankruptcy trustee for 23andMe, resolving allegations stemming from a 2023 data breach that compromised the genetic data of 6.9 million customers worldwide. The settlement includes $150 million in allowed claims for states.

Due to the finite amount of funds in the bankruptcy estate and numerous other claims, recovery is limited to $18 million but will be paid out immediately from available bankruptcy funds.

These funds are in addition to the $46.75 million class-action settlement 23andMe agreed to in the bankruptcy case. That settlement provides relief to affected U.S. consumers who submitted claims by Feb. 17, 2026.

“This settlement still allows South Dakotans who submitted claims by Feb. 17, 2026 to be compensated,” said Attorney General Jackley. “The filing for bankruptcy by 23andMe should not negatively impact those consumers whose personal genetic data was compromised by this company.”

In October 2023, direct-to-consumer genetic testing company 23andMe announced that it had discovered a data breach in which 6.9 million consumers were affected, including 11,027 in South Dakota. This data breach exposed a wide range of data about 23andMe customers, including in some cases genetic ancestry information, and subsets of this data were subsequently published for sale on the dark web.

South Dakota’s share will fund consumer protection efforts through the Attorney General’s Consumer Protection Division.

23andMe learned about the breach months after impacted personal information was publicly available. 23andMe first denied a breach and then, once it confirmed the breach, blamed consumers for how their accounts were set up or how passwords were used. 23andMe initially accepted no responsibility for the credential stuffing breach, which was particularly egregious considering 23andMe’s partnership with MyHeritage, which itself was compromised years prior to the breach, exposing thousands of credentials shared between the websites.

In the immediate aftermath of the data breach Attorney General Jackley and other Attorneys General formed a multistate investigation and found that 23andMe engaged in unreasonable data security practices, including, but not limited to:

  • Failing to employ safeguards against credential stuffing attacks, including comparing passwords against blocklists of known breached passwords or requiring multifactor authentication;
  • Failing to implement appropriate rate limiting or intrusion prevention;
  • Failing to implement logging and monitoring or other tools likely to detect a data breach;
  • Failing to appropriately investigate and/or address unusual login in patterns, including, for example, a massive spike in login attempts;
  • Failing to remediate known vulnerabilities; and
  • Failing to properly review and test design features.

As part of his efforts to protect consumers, Attorney General Jackley also proposed during the 2026 legislative session Senate Bill 49, which safeguards the integrity, privacy, and security of genetic data and provides a civil penalty. The measure was approved by the legislators and signed by the Governor. It became law July 1.

Other Attorneys Generals part of the settlement are from the states of: Alabama, Arkansas, Arizona, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Idaho, Iowa, Illinois, Indiana, Kansas, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Michigan, Minnesota, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, Tennessee, Texas, Utah, Virginia, Vermont, Washington, Wisconsin, and West Virginia.