Breaches

Judge approves $46.75 million payout for 23andMe breach victims

Judge approves $46.75 million payout for 23andMe breach victims

A federal bankruptcy judge has signed off on the settlement covering an estimated 6.9 million people whose genetic and personal data was exposed in the 2023 breach. After earlier disbursements, the new money comes to $32.46 million, and California's enforcement case against the company remains unresolved.

A US bankruptcy judge on July 7 approved a $46.75 million settlement for victims of the 2023 data breach at genetic testing company 23andMe. US Bankruptcy Judge Brian Walsh in St. Louis said the deal was fair and equitable and in the best interest of a trust overseen by the company's bankruptcy administrator.

The headline figure overstates what victims will now receive. The settlement will be reduced by $14.29 million already disbursed in connection with the breach, leaving an additional payout of $32.46 million. Court documents cited in earlier coverage show plaintiffs had originally sought $48 billion in damages, with the bankruptcy administrator arguing that litigating that claim would burn months or years and millions in professional fees against a company with little left to give.

Nearly 256,000 claims have been resolved, according to court documents. Individual awards are tiered by harm, ranging from roughly $50 for minor claims up to $10,000 for the most serious ones.

The breach itself dates to 2023, when attackers used credentials recycled from other breaches to access 23andMe accounts. Stolen data appeared for sale on cybercrime forums, and the company later confirmed the compromised information included names, dates of birth, ancestry details, family tree data, locations, and genetic information such as haplogroup results. Roughly half of the company's customer base was affected.

The fallout reshaped the company. 23andMe filed for Chapter 11 protection in March 2025, citing the breach, related litigation, increased competition, and falling demand for genetic testing. Its assets were sold in July 2025 to TTAM Research Institute, a nonprofit led by co-founder and former CEO Anne Wojcicki, and the legal entity was renamed Chrome Holding Co.

The settlement does not end the company's legal exposure. California Attorney General Rob Bonta is suing over the breach in San Francisco Superior Court, accusing 23andMe of ignoring warnings that its systems were compromised and downplaying the breach's severity. Bonta is seeking potentially millions of dollars in civil fines.

Walsh has yet to rule on the bankruptcy administrator's motion to block California's lawsuit. In a June 6 filing, Bonta argued that Congress did not give bankruptcy judges the power to strip state courts of jurisdiction over state law enforcement actions, warning against letting bankruptcy courts become "a haven for wrongdoers."



International Cyber Digest

Get the ICD Newsletter

Subscribe for source-forward cyber news, OSINT notes, breach updates, and analysis. Have evidence or a lead? Send it to ICD.

Subscribe Send a tip