Victims of the significant 2023 data breach at genetics testing company 23andMe are now set to receive a substantial multi-million-pound payout. A Californian bankruptcy court judge ruled on Tuesday that Chrome Holding, the entity that took control of 23andMe following its bankruptcy last year, must pay out $46.75 million, equivalent to approximately £35 million, in compensation to those affected.
23andMe, known for compiling genetic profiles through DNA testing kits, faced severe criticism after as many as 6.9 million individuals had their highly personal data compromised in the 2023 cyberattack. The breach, while initially affecting around 14,000 user accounts directly, allowed hackers to access the profiles of those users' relatives, thereby exposing millions of hosted profiles containing sensitive health and family history information.
The ruling stipulates that the settlement funds will first be transferred to Kroll Restructuring, the firm representing the victims, within five business days from Tuesday. Kroll will then be responsible for distributing these funds to the individual victims. The appointment of such companies is standard practice in complex corporate bankruptcy proceedings like this one.
The incident led to widespread investigations and regulatory fines, including a notable £2.31 million penalty from the Information Commissioner's Office (ICO), the UK's data protection watchdog. The ICO concluded that 23andMe had failed to implement adequate measures to safeguard sensitive user data before the breach occurred. Furthermore, the Attorney General of California, Rob Bonta, sued the company in May 2026, alleging that 23andMe not only failed to protect user data but also misrepresented the severity of the 2023 breach to consumers.
Despite these significant challenges, including filing for bankruptcy early last year and ongoing legal battles, 23andMe has continued its operations, offering DNA testing kits online. The company, which commenced operations in 2006 and went public in 2021, was once valued at $6 billion but has yet to report a profit. This payout underscores the increasing financial and reputational risks companies face when failing to protect customer data.