-
A US Bankruptcy Judge approved a $46.75 million payout to 23andMe data breach victims.
-
All victims won’t receive the same amount of money. Some may receive as little as $50, while others can get up to $10,000, depending on the extent of the damage caused.
-
Attorney General Rob Bonta of California is seeking further legal action against 23andMe for ignoring warnings about the vulnerabilities of their system.
After years of back-and-forth over the 2023 23andMe hacking scandal, things finally shifted. US bankruptcy judge Brian Walsh just gave the green light to a $46.75 million settlement for people whose private data the breach exposed.
After nearly three years in court, victims can finally claim some compensation. However, it does not mark the end of what many consider one of the largest cases of privacy violations involving consumer DNA data.
California officials continue to pursue their claims that 23andMe did not secure its clients properly and needs further punishment.
Judge Approves Settlement After Bankruptcy Review
The judge approved the settlement as part of 23andMe’s Chapter 11 bankruptcy case. He decided the agreement was fair and in the best interest of the trust handling the company’s remaining assets.
The total settlement comes to $46.75 million. But the company already paid out $14.29 million in connection with the breach. Meaning there’s still $32.46 million remaining for them to distribute to victims.
Based on records, the court has reviewed over 255,000 claims. Others have been worked out through the bankruptcy process.
People originally sued for an estimated $48 billion. They argued that the exposed info included some of the most personal data anyone can share, their genetic profiles and family connections. The final settlement comes down to what the company can actually afford after bankruptcy.
In March last year, 23andMe filed for Chapter 11, citing legal costs from the breach, tougher competition, and a low demand for DNA testing products as the main reasons. Its assets were later sold for $305 million to TTAM Research Institute. Co-founder Anne Wojcicki controls the nonprofit.
How Much Will Victims Receive?
Every affected customer won’t be getting the same payout. Settlement amounts fall between $50 and $10,000. The exact amount for each victim depends on documents proving they lost money, identity theft, how long it took them to deal with the aftermath of the breach, or any other harm the breach may have caused.
The purpose of the settlement is to resolve multiple class-action lawsuits without dragging things out for years. It’s an indication that 23andMe is in a dire financial situation after its bankruptcy filing and isn’t buoyant enough to settle victims and creditors.
Details of the Breach
The 23andMe breach occurred in 2023. The criminals used credential stuffing to access customers’ accounts. This type of attack involves criminals trying stolen usernames and passwords from earlier breaches on other websites on other accounts. They hope people reuse the same credentials.
Only about 14,000 accounts were directly compromised. But 23andMe’s DNA Relatives feature lets attackers see information linked to many other users. This led to the exposure of personal and genetic info relating to about 6.9 million customers.
The stolen information varied by user. The attack exposed customers’ names, dates of birth, ancestry reports, family connections, profiles, and even personal health data. The main problem here is that, unlike a password or credit card number, you can’t change genetic data once it leaks out.
After the cyber attack, 23andMe made people change their passwords and added mandatory two-step verification.
California’s Lawsuit is Still Moving Forward
Despite the settlement, California is continuing its own enforcement action.
Attorney General Rob Bonta says 23andMe ignored obvious signs that attackers compromised their systems. He accuses the company of not doing enough to protect people’s information and of brushing off how serious the whole thing really was.
Bonta insists bankruptcy shouldn’t let companies off the hook for state enforcement. California’s commitment to enforcing the law is also evident in the recent charges against 21 residents in a $267 million Medi-Cal hospice fraud scheme.
In a court filing, he warned that bankruptcy courts must not become “a haven for wrongdoers”. He’s after civil penalties that, under California law, could easily run into the millions.
The bankruptcy court decided victims should get compensation. However, it has yet to resolve the conflict regarding whether California has the right to pursue its own lawsuit separately.
A Case With Lasting Privacy Implications
The 23andMe breach has become one of the most closely watched privacy cases involving consumer genetic data.
You can cancel a stolen credit card and get a new one, but DNA data is permanent. According to privacy experts, this case shows why tougher protections for genetic info, stronger account security, and clearer rules for companies handling sensitive personal data are necessary.
Even though victims are getting some financial help thanks to the settlement, California’s lawsuit poses bigger questions, like how companies should handle and protect genetic data.