Victims of 23andMe data breach to receive $47m settlement

Victims of the 2023 data breach at genetic testing company 23andMe will share a $46.75m (£35m) settlement, after a California bankruptcy court ruled that the company’s new owner must compensate the 6.9 million people whose data was exposed.
The ruling, issued on Tuesday, draws a line under one of the most damaging data breaches in consumer technology, and gives UK business owners a stark illustration of how a single security failure can help bring down a once-$6bn company.
Chrome Holding, which operates as TTAM Research Institute, took control of 23andMe last year following the company’s bankruptcy. It is run by 23andMe founder Anne Wojcicki, who won the company’s assets at a bankruptcy auction with a bid of $305m.
Under the ruling, compensation will first be paid to Kroll Restructuring, which represents the victims, within five business days of Tuesday’s ruling. Kroll will then distribute the funds. The appointment of firms like Kroll is common in corporate bankruptcy proceedings.
Business Matters contacted a group of lawyers representing the victims to ask how many people will receive the payment. Representatives for Chrome Holding and 23andMe were also contacted for comment.
The road to Tuesday’s decision began with a robbery that, on paper, looked like it was there. 23andMe filed for bankruptcy early last year, about 18 months after hackers accessed nearly 14,000 accounts, a tiny fraction of its total number of users.
The damage didn’t end there. Because the platform connects users with their genetic relatives, hackers were able to access the profiles of those users’ family members, giving them access to millions of profiles held by the company.
And this was no ordinary customer database. 23andMe provided “complete” genetic profiles of people who submitted their DNA, including traits related to their health and family history, meaning some of the stolen information was highly personal and impossible to change once it was revealed.
The fallout fell on both sides of the Atlantic. In the UK, the Information Commissioner’s Office fined the company £2.31m, finding that 23andMe failed to put adequate measures in place to protect sensitive user data before an incident.
In May, California Attorney General Rob Bonta sued the company following an investigation that found 23andMe “failed to take basic steps to protect users’ data”. Bonta also said the company “lied to consumers about the seriousness of its 2023 data breach”.
For small companies that are tempted to include this under the pressures of large companies, the direction of travel from regulators should give pause. 23andMe’s fine comes alongside a £14m ICO fine for a third-party retailer for its 2023 cyber-attack, evidence that the watchdog is increasingly willing to punish security failures with meaningful figures.
23andMe, meanwhile, continues to sell, selling DNA tests online under its new identity. Founded in 2006 and floated in 2021, the company was once valued at $6bn but has never turned a profit.
For entrepreneurs, the lesson is uncomfortable but clear. Customer data is a liability as well as an asset, and as this week’s ruling shows, the bill for mishandling it can outlive the business itself.



