Victims of a 2023 data hack at genetics testing company 23andMe are set to receive a multi-million payout, after a California bankruptcy court judge on Tuesday ordered Chrome Holding – the firm that took control of 23andMe after its bankruptcy – to pay $46.75m (£35m) in compensation.
The ruling comes after as many as 6.9 million people had their highly personal genetic profiles breached in the 2023 hack. Hackers accessed roughly 14,000 user accounts directly, but because 23andMe offered “comprehensive” profiles including genetic markers related to health and family history, they were able to pull up the profiles of those users’ relatives, giving them access to millions of profiles.
“A US judge ordered a $46.75m payout for victims of a 2023 hack that exposed 6.9 million genetic profiles.”
The breach triggered investigations and fines. The UK’s Information Commissioner’s Office (ICO) hit 23andMe with a £2.31m fine, saying the company had failed to put adequate measures in place to secure sensitive user data. In May, California Attorney General Rob Bonta sued the company, claiming it “failed to take basic steps to protect users’ data” and “lied to consumers about the severity of its 2023 data breach.”
23andMe filed for bankruptcy early last year, about 18 months after the hack. Chrome Holding last year sold the company’s assets to TTAM Research Institute, an entity operated by 23andMe’s co-founder Anne Wojcicki, who won the assets through a bankruptcy auction with a bid of $305m. The company has continued to operate since then, still offering DNA testing kits online.
The settlement will first be paid to Kroll Restructuring, which is representing the victims, within five business days from Tuesday, after which Kroll will distribute the funds. The legal team representing the victims has been asked how many people will receive the payout, but has not yet responded.
23andMe was once valued at $6bn. It started in 2006 and went public in 2021, but never turned a profit.