23andMe breach victims land $47m payout from firm’s new owner

Victims of the 2023 data breach at genetics testing firm 23andMe are to share a $46.75m (£35m) payout, after a California bankruptcy court ruled that the company’s new owner must compensate as many as 6.9 million people whose personal information was exposed.

The ruling, handed down on Tuesday, draws a line under one of the most damaging data breaches in consumer technology, and offers UK business owners a stark illustration of how a single security failure can help bring down a company once valued at $6bn.

Chrome Holding, which operates as the TTAM Research Institute, took control of 23andMe last year following the firm’s bankruptcy. It is run by 23andMe co-founder Anne Wojcicki, who won the company’s assets at a bankruptcy auction with a bid of $305m.

Under the ruling, the settlement will first be paid to Kroll Restructuring, which represents the victims, within five business days of Tuesday’s decision. Kroll will then distribute the funds. The appointment of firms such as Kroll is typical in corporate bankruptcy proceedings.

Business Matters has contacted the legal team representing the victims to ask how many people will receive the payout. Representatives of Chrome Holding and 23andMe have also been contacted for comment.

The road to Tuesday’s ruling began with a hack that, on paper, looked contained. 23andMe filed for bankruptcy early last year, roughly 18 months after hackers gained access to around 14,000 user accounts, a small fraction of its total user base.

The damage did not stop there. Because the platform connects users to their genetic relatives, the hackers were able to access the profiles of those users’ family members, giving them reach into millions of profiles hosted by the company.

And this was no ordinary customer database. 23andMe offered “comprehensive” genetic profiles of people who submitted their DNA, including markers relating to their health and family history, meaning some of the stolen information was highly personal and impossible to change once exposed.

The fallout landed on both sides of the Atlantic. In the UK, the Information Commissioner’s Office fined the company £2.31m, finding that 23andMe had failed to put adequate measures in place to secure sensitive user data before the incident.

In May, California’s Attorney General Rob Bonta sued the company following an investigation that found 23andMe “failed to take basic steps to protect users’ data”. Bonta also claimed the firm “lied to consumers about the severity of its 2023 data breach”.

For smaller firms tempted to file this under big-company problems, the direction of travel from regulators should give pause. The 23andMe penalty sits alongside the ICO’s £14m fine for outsourcer Capita over its own 2023 cyber-attack, evidence that the watchdog is increasingly willing to punish security failures with meaningful sums.

23andMe, for its part, continues to trade, selling DNA testing kits online under its new ownership. Founded in 2006 and floated in 2021, the company was once valued at $6bn but has never turned a profit.

For entrepreneurs, the lesson is uncomfortable but plain. Customer data is a liability as well as an asset, and as this week’s ruling shows, the bill for mishandling it can outlive the business itself.

Leave a Reply

Your email address will not be published.

Previous post UK tech funding nearly doubles to $15.3bn, but the money is going to fewer companies