By Matt Underwood It appears that victims of the significant 23andMe data breach might finally see some financial restitution, with a bankruptcy administrator now suggesting that a payout of $46.75 million is warranted. This development follows 23andMe’s filing for protection from creditors in March 2025, a move attributed, in part, to the fallout from the data breach and the ensuing litigation, alongside other business pressures.
The scale of the data breach itself has been a point of much discussion, with estimates suggesting that genetic and other personal information of approximately 6.9 million U.S. customers were exposed. While the initial headlines might have painted a picture of widespread, direct DNA sequence compromise for millions, the reality appears to be more nuanced. Reports indicate that around 14,000 individuals had their accounts directly breached, meaning hackers gained access to their login credentials, often a consequence of password reuse from breaches at other companies.
Where the situation becomes more complex, and arguably a significant point of contention, is the “relatives” feature. This functionality, which could list up to 5,000 relatives per profile, is where the breach’s reach dramatically expanded. Essentially, from a single compromised profile, hackers could glean information like a name, a potential city of residence, and the genetic relationship (e.g., fourth cousin) to that profile owner, for thousands of other individuals. Since familial relationships are inherently tied to genetic data, this is how the breach of around 14,000 profiles translated into an exposure affecting millions of customers’ genetic connections.
It’s important to clarify that 23andMe has maintained they did not expose the actual DNA sequences and health data of the 6 million customers. Instead, the genetic data of about 14,000 individuals was accessed, along with familial relationships for tens of thousands, and the broader cousin connections for the 6 million. While this distinction might temper the severity for some, the potential for misuse, such as scammers leveraging knowledge of specific familial ties to target individuals, remains a serious concern.
The proposed $46.75 million payout, as suggested by the bankruptcy administrator, is aimed at compensating these victims. However, the distribution of this sum among the affected individuals raises questions about fairness and adequacy. If this amount were to be divided among the estimated 6.9 million U.S. customers, the per-person payout would be quite small, likely only a few dollars each, especially after legal fees are accounted for. This contrasts sharply with what some might consider a more just compensation, especially considering the inherent sensitivity of genetic information.
A key aspect of the legal and financial proceedings is the initial agreement between 23andMe and its users. The user agreements stated that personal information would not be sold. However, with 23andMe’s assets being acquired by TTAM Research Institute, a nonprofit controlled by co-founder Anne Wojcicki, for $305 million, questions arise about the enforceability of those original terms. The acquisition and conversion to a nonprofit structure may have altered the legal landscape regarding user data and previous contractual obligations.
The narrative that “if it’s free, you are the commodity” resonates with some who reflect on the value of their genetic data. While 23andMe was a paid service for most, certain promotions and research initiatives did offer free kits, underscoring the idea that data, in various forms, has significant value. The argument is that users, by providing their genetic information, essentially exchanged it for the insights offered, but the subsequent data breach raises concerns about whether they fully understood the perpetual exposure and potential risks associated with this most private of information.
The bankruptcy filing itself introduces complexities, leading some to question whether the proceedings could render previous claims or agreements moot. The suggestion that this is merely “bullshit litigation for the attorneys” is a cynical perspective, but it highlights the public’s awareness of how legal processes can sometimes benefit legal professionals more than the victims. Whether the bankruptcy administration’s payout recommendation is seen as a genuine attempt at redress or a legal formality to conclude liabilities is a matter of ongoing debate.
The classification of the incident as a “data breach” has also been debated. Some argue that since access was gained through reused passwords, it wasn’t a true breach in the sense of exploiting a fundamental vulnerability in 23andMe’s security. However, others counter that a breach occurs when unauthorized individuals gain access to sensitive data, regardless of the method. The analogy of leaving a front door unlocked and having property stolen still constitutes a robbery, even if preventative measures weren’t fully implemented by the homeowner.
The culpability of 23andMe in this situation is multifaceted. On one hand, they held highly sensitive data and, arguably, could have enforced stronger security measures like mandatory two-factor authentication and more robust API protections to prevent programmatic scraping of millions of relationships. On the other hand, the “DNA Relatives” feature required explicit user consent, separate from general terms of service. This raises the question of whether users who consented to this feature implicitly agreed to the potential exposure of their familial connections to others, even strangers.
The legal argument that suing 23andMe is akin to suing a landlord for theft highlights the differing perspectives on responsibility. While the ultimate “thief” is the hacker, critics suggest that 23andMe, as the custodian of the data, had a duty to protect it more effectively. The argument is that if a landlord were to leave tenant documents in an unsecured area, and those documents were stolen after a break-in at the landlord’s office, the tenant would likely hold the landlord responsible.
However, the counterargument points to the user’s role in password reuse. This is seen as similar to a tenant leaving their front door unlocked, and then blaming the landlord for a subsequent break-in. While secondary security features like two-factor authentication are important, some believe this wasn’t a case of complete negligence by 23andMe, but rather a consequence of user behavior amplified by their security protocols.
Further complicating matters are findings from investigations, such as the one conducted in Canada, which reportedly found warning signs that 23andMe may have ignored. This suggests a level of awareness within the company about potential risks that wasn’t adequately addressed. Moreover, the specific targeting and packaging of data for sale, such as customer data of Chinese and Jewish heritage, raises a more specific and disturbing element to the breach. Knowing that one’s data was part of a targeted sale based on ethnicity, rather than a general data dump, adds a distinct layer of harm and potential for discrimination.
Ultimately, the proposed $46.75 million payout by the bankruptcy administrator represents a significant financial acknowledgement of the harm caused by the 23andMe data breach. While the exact distribution and perceived fairness of this payout remain subjects of discussion, it signals a move towards compensating the millions of customers whose sensitive genetic and familial information was exposed. The case underscores the evolving challenges in data privacy and security in the age of personal genomics and the complex legal and financial ramifications that arise when that trust is broken.