23andMe Data Breach Victims to Receive $46.75 Million Settlement After Bankruptcy Court Ruling

Web Reporter
3 Min Read
Disclosure: This website may contain affiliate links, which means I may earn a commission if you click on the link and make a purchase. I only recommend products or services that I personally use and believe will add value to my readers. Your support is appreciated!

Millions of people affected by the 2023 cyberattack on genetic testing company 23andMe are set to receive compensation after a California bankruptcy court approved a $46.75 million settlement tied to the company’s data breach.

The ruling, issued on Tuesday, requires Chrome Holding, operating as TTAM Research Institute and now the owner of 23andMe, to compensate as many as 6.9 million individuals whose personal information was exposed during the security incident. The decision closes a major chapter in one of the largest data breaches involving consumer genetic information.

Chrome Holding acquired 23andMe’s assets after the company filed for bankruptcy. The acquisition followed a bankruptcy auction in which 23andMe co-founder Anne Wojcicki secured the company’s assets with a winning bid of $305 million.

Under the court order, the settlement funds will be transferred to restructuring firm Kroll within five business days. Kroll, which represents the affected individuals in the bankruptcy proceedings, will oversee the distribution of compensation to eligible victims. The exact number of people who will receive payments has not yet been confirmed.

The breach originated when hackers gained access to approximately 14,000 customer accounts. While that represented only a small portion of 23andMe’s user base, the company’s DNA relative-matching feature enabled attackers to obtain information connected to family members, expanding the breach to millions of user profiles.

Unlike many cyberattacks involving financial or contact information, the stolen data included highly sensitive genetic details. Customers had entrusted the company with DNA samples that generated reports on ancestry, inherited traits and certain health-related genetic markers. Security experts have noted that such information cannot be replaced or changed once exposed.

The incident drew regulatory scrutiny in several countries. In the United Kingdom, the Information Commissioner’s Office fined 23andMe £2.31 million after concluding that the company had failed to implement sufficient safeguards to protect users’ sensitive data.

In the United States, California Attorney General Rob Bonta filed a lawsuit against the company in May. The lawsuit alleged that 23andMe failed to take basic cybersecurity precautions and misled consumers about the seriousness of the 2023 breach.

The case has become a prominent example of the growing financial and legal consequences companies face following major cybersecurity failures. Regulators have increasingly imposed significant penalties on organizations that fail to adequately protect customer information, reflecting heightened expectations for data security.

Despite its bankruptcy, 23andMe continues to operate under its new ownership, selling DNA testing kits and genetic services. Founded in 2006, the company went public in 2021 and was once valued at around $6 billion, though it never achieved sustained profitability.

The settlement highlights the lasting impact of large-scale data breaches, demonstrating that legal and financial obligations tied to cybersecurity failures can continue long after a company’s ownership or financial position changes.

TAGGED:
Share This Article
Leave a Comment

Leave a Reply