In October 2023, **23andMe** suffered a **massive data breach** exposing the **personal and genetic information** of approximately **6.4 million U.S. customers**. The breach resulted from a **cyberattack** where threat actors accessed highly sensitive data, including **raw genotype data, health reports, and self-reported health conditions**. The company faced a **$50 million class-action settlement**, offering affected users compensation (up to **$10,265 per claimant**) for identity fraud, mental health treatment, and other damages. The breach also triggered **five years of free genetic and privacy monitoring** for victims. The incident severely damaged **customer trust**, led to **legal and financial repercussions**, and highlighted the company’s **failure to secure biometric and health data**, which is among the most sensitive categories of personal information. The breach impacted individuals across the U.S., with additional statutory penalties for residents in **California, Illinois, Oregon, and Alaska** due to stricter state privacy laws.
Source: https://www.claimdepot.com/settlements/23-and-me-data-settlement
23andMe cybersecurity rating report: https://www.rankiteo.com/company/23andme
"id": "23A02105402112425",
"linkid": "23andme",
"type": "Breach",
"date": "10/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '6,400,000',
'industry': 'Biotechnology / Genetic Testing',
'location': 'United States',
'name': '23andMe Inc. (now Chrome Holding Co. / '
'ChromeCo Inc.)',
'type': 'Private Company'}],
'customer_advisories': ['Eligibility criteria for claims',
'Documentation requirements',
'Payout options (electronic/paper check)',
'Enrollment in monitoring services'],
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '6,400,000',
'personally_identifiable_information': ['Names',
'Addresses',
'Genetic Profiles',
'Health Reports'],
'sensitivity_of_data': 'High (genetic and health data)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Genetic Data',
'Health Information']},
'date_detected': '2023-10-01',
'date_publicly_disclosed': '2023-10-01',
'description': '23andMe Inc. (now Chrome Holding Co. and ChromeCo Inc.) '
'agreed to pay up to $50 million to settle a class action '
'lawsuit alleging the company failed to adequately protect '
'customer data, resulting in a cyberattack that exposed the '
'personal and genetic information of approximately 6.4 million '
'U.S. residents in October 2023. The breach compromised data '
'of customers between May 1, 2023, and Oct. 1, 2023, with '
'affected individuals eligible for compensation up to $10,265, '
'including extraordinary claims, health information claims, '
'statutory cash claims, and privacy/genetic monitoring '
'services.',
'impact': {'brand_reputation_impact': 'Significant (led to bankruptcy, asset '
'sale, and rebranding to Chrome Holding '
'Co.)',
'customer_complaints': 'Class action lawsuit filed by affected '
'customers',
'data_compromised': ['Personal Information',
'Genetic Information',
'Health Reports',
'Self-Reported Health Conditions',
'Raw Genotype Data'],
'financial_loss': '$50,000,000 (settlement fund)',
'identity_theft_risk': 'High (documented cases of identity fraud, '
'tax fraud)',
'legal_liabilities': "$50,000,000 settlement, attorneys' fees "
'($12.5M), statutory violations (California, '
'Illinois, Oregon, Alaska)'},
'initial_access_broker': {'high_value_targets': ['Genetic data',
'Health information']},
'investigation_status': 'Settled (pending final court approval on 2026-01-20)',
'post_incident_analysis': {'corrective_actions': ['$50M settlement',
'5-year monitoring services '
'for affected customers',
'Company rebranding and '
'restructuring'],
'root_causes': ['Inadequate data protection '
'measures']},
'references': [{'source': 'Class Action Settlement Notice'},
{'source': 'Kroll Settlement Administration LLC'}],
'regulatory_compliance': {'fines_imposed': '$50,000,000 (settlement)',
'legal_actions': ['Class action lawsuit',
'Bankruptcy filing',
'Asset sale'],
'regulations_violated': ['State Privacy Laws '
'(California, Illinois, '
'Oregon, Alaska)']},
'response': {'communication_strategy': ['Settlement notices to affected '
'customers',
'Online and mail-in claim submission '
'options'],
'remediation_measures': ['$50M settlement fund',
'5-year privacy/medical/genetic '
'monitoring services'],
'third_party_assistance': ['Kroll Settlement Administration LLC '
'(claims administrator)']},
'stakeholder_advisories': ['Settlement notices sent to affected customers',
'Online claim portal',
'Mail-in claim forms'],
'title': '23andMe $50 Million Data Breach Class Action Settlement',
'type': ['Data Breach', 'Class Action Lawsuit']}