Victims of 23andMe data breach to get $47m payout, judge rules

One of the most high-profile consumer data breaches in recent biotech history has moved toward resolution, after a California bankruptcy court judge approved a $46.75 million compensation package for users affected by 23andMe’s 2023 genetic data hack.

The court’s Tuesday ruling orders Chrome Holding, the entity that acquired 23andMe following the company’s 2024 bankruptcy restructuring, to disburse the £35 million (approximately $46.75 million) settlement within five business days to Kroll Restructuring, the court-appointed firm representing breach victims. Kroll will then handle distribution of funds to eligible users affected by the incident. This structured compensation process is standard for bankruptcy-related legal settlements, where third-party administrators manage claims on behalf of harmed parties.

23andMe, the pioneering direct-to-consumer DNA testing firm that launched in 2006 and went public in 2021, built its business by creating detailed genetic profiles for millions of customers, holding deeply personal data ranging from disease predispositions to family ancestry connections. The 2023 breach began when hackers gained unauthorized access to roughly 14,000 direct user accounts. Because of 23andMe’s DNA matching service that connects users to biological relatives, hackers were able to expand their access to an estimated 6.9 million total user profiles, exposing the highly sensitive genetic information of millions of people who never had their own accounts directly compromised.

The incident sparked widespread criticism of 23andMe’s lax data security practices. Regulators on both sides of the Atlantic brought penalties: the UK’s Information Commissioner’s Office (ICO) issued a £2.31 million fine, finding the company had failed to implement basic adequate safeguards for sensitive user genetic data. In May 2024, California Attorney General Rob Bonta filed a lawsuit against the firm, concluding an investigation that found 23andMe not only neglected basic security protocols to protect user information, but also intentionally misled consumers about the full scope and severity of the 2023 breach.

The company’s financial struggles long predated the fallout from the hack. 23andMe never turned a profit over its nearly 20 years of operation, and at its peak reached a valuation of $6 billion. Last year, roughly 18 months after the breach was first disclosed, the company filed for Chapter 11 bankruptcy protection. Co-founder Anne Wojcicki acquired the company’s assets via a $305 million bankruptcy auction through her holding entity Chrome Holding, which operates under the trade name TTAM Research Institute. The company has continued normal operations following the restructuring, still selling DNA testing kits to consumers online.

As of this ruling, it remains unclear exactly how many of the 6.9 million affected users will qualify to receive compensation from the settlement fund. Representatives for Chrome Holding, 23andMe, and the victims’ legal team have been contacted for additional comment on the settlement timeline and claims process.