In October 2023, **23andMe** suffered a **massive data breach** exposing the **personal and genetic data of nearly 7 million users**, including highly sensitive DNA profiles, health records, and personally identifiable information (PII). The breach led to severe consequences for affected individuals, including **identity theft, targeted harassment (especially against LGBTQ+ members like Salman Jaberi), mental health deterioration (e.g., Elvira Olguín’s vascular episode and vision loss due to stress), and financial fraud**. The company filed for bankruptcy in March 2024, facing **over 250,000 claims** (many suspected fraudulent) tied to the incident, with settlements proposed at **$30M–$50M (US) and $3.25M (Canada)**—far below the claimed **$51 trillion** in damages. Victims reported **long-term risks**, such as nation-state exploitation of immutable DNA data, while the company struggled to verify legitimate claims. The breach’s **unique harm**—irreplaceable genetic data—heightened distress, with many users feeling the settlements provided **insufficient relief** for ongoing damages like privacy protection costs, medical expenses, and emotional trauma.
TPRM report: https://www.rankiteo.com/company/23andme
"id": "23a4433044101425",
"linkid": "23andme",
"type": "Breach",
"date": "10/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '~7 million users (global)',
'industry': 'Biotechnology/Genetics',
'location': 'Sunnyvale, California, USA',
'name': '23andMe (Chrome Holding Co.)',
'type': 'Private Company'},
{'customers_affected': '1 (personal health impact)',
'location': 'Málaga, Spain',
'name': 'Elvira Olguín',
'type': 'Individual'},
{'customers_affected': '1 (identity theft and '
'harassment)',
'name': 'Salman Jaberi',
'type': 'Individual'}],
'customer_advisories': ['Identity verification required for claims',
'Limited windows for filing extraordinary loss claims '
'(US: Oct 2025; Canada: 6 months)'],
'data_breach': {'data_exfiltration': 'Confirmed (sold or leaked, suspected '
'dark web activity)',
'number_of_records_exposed': '~7 million',
'personally_identifiable_information': ['Names',
'Email Addresses',
'Genetic Profiles',
'Family Connections',
'Health Research '
'Data'],
'sensitivity_of_data': 'Extreme (immutable genetic data, '
'health records, family ties)',
'type_of_data_compromised': ['Genetic/DNA Data',
'Personal Identifiable '
'Information (PII)',
'Health Data',
'Family Relationships',
'Credit-Linked Data']},
'date_publicly_disclosed': '2023-10',
'description': 'A data breach at 23andMe (now Chrome Holding Co.) exposed the '
'personal and genetic information of nearly 7 million users in '
'October 2023. The incident led to significant privacy '
'concerns, including identity theft risks, mental health '
'impacts, and financial losses for affected individuals. The '
'company filed for bankruptcy in March 2024 and proposed '
'settlements for class-action lawsuits in the US and Canada, '
'with payouts ranging from $100 to $165 per affected user, '
'plus additional compensation for extraordinary losses like '
'identity fraud and mental health treatment. The breach raised '
'unique challenges due to the immutable nature of genetic data '
'and difficulties in proving future harm linked to the '
'incident.',
'impact': {'brand_reputation_impact': 'Severe (linked to immutable genetic '
'data exposure and bankruptcy)',
'customer_complaints': ['Confusion over bankruptcy hearings',
'Fear of identity theft',
'Mental health impacts (e.g., Elvira '
"Olguín's vascular episode)",
'Harassment and targeted ads (e.g., Salman '
'Jaberi)'],
'data_compromised': ['Personal Information',
'Genetic/DNA Data',
'Health Data',
'Family Names',
'Credit Information (linked to identity '
'theft)'],
'financial_loss': {'company_asset_sale': '$300 million (June 2024)',
'individual_claims': 'Up to $165 (US health '
'data exposed), $100 '
'(statutory payments for '
'certain states), '
'additional payments for '
'extraordinary losses',
'settlement_fund_canada': '$3.25 million '
'(CA$4.49 million)',
'settlement_fund_us': '$30 million to $50 '
'million',
'total_claims_value': '$51 trillion (disputed, '
'includes potential '
'fraudulent claims)'},
'identity_theft_risk': "High (reported cases like Salman Jaberi's "
'credit report spikes and targeted scams)',
'legal_liabilities': ['Class-action lawsuits (US and Canada)',
'Potential fraudulent claims disputes',
'State privacy law violations',
'Regulatory fines (pending)'],
'operational_impact': ['Bankruptcy filing (March 2024)',
'Reputation damage',
'Legal and regulatory scrutiny',
'Customer trust erosion']},
'initial_access_broker': {'data_sold_on_dark_web': 'Suspected (referenced in '
'fraudulent claim '
'investigations)',
'high_value_targets': ['Genetic data',
'Family relationship maps',
'Health research '
'participants']},
'investigation_status': 'Ongoing (settlements pending approval; fraudulent '
'claims under review)',
'lessons_learned': ['Genetic data breaches have unique, long-term risks due '
'to immutability.',
'Difficulty in proving future harm (e.g., identity theft) '
'linked to specific breaches.',
'Bankruptcy processes may inadequately address individual '
'claims for intangible harms (e.g., mental health).',
'Fraudulent claims can dilute settlement funds for '
'legitimate victims.',
'Clear communication is critical during legal proceedings '
'to avoid customer confusion.'],
'post_incident_analysis': {'corrective_actions': ['Settlement funds for '
'US/Canada class members.',
'Fraudulent claim detection '
'(e.g., identical phrases, '
'email mismatches).',
'Bankruptcy plan to resolve '
'liabilities (pending '
'approval).'],
'root_causes': ['Inadequate data protection for '
'highly sensitive genetic '
'information.',
'Lack of long-term support for '
'breach victims (e.g., no future '
'claims representative).',
'Poor communication during '
'bankruptcy proceedings.']},
'recommendations': ['Implement stronger identity verification for genetic '
'data access.',
'Establish long-term monitoring for victims of genetic '
'data breaches.',
'Improve transparency in breach notifications and '
'settlement processes.',
'Develop frameworks for compensating intangible harms '
'(e.g., mental health impacts).',
'Enhance regulatory oversight for biotech data security.'],
'references': [{'source': 'Bloomberg Law'},
{'source': 'Stanford University Privacy Research (Jennifer '
'King)'},
{'source': 'BakerHostetler Privacy and Digital Risk Team (Paul '
'Karlsgodt)'}],
'regulatory_compliance': {'fines_imposed': 'Pending (mentioned in bankruptcy '
'proceedings)',
'legal_actions': ['Class-action lawsuits '
'(US/Canada)',
'State pushback over privacy '
'violations',
'Bankruptcy plan approval '
'hearings (Nov 2024)'],
'regulations_violated': ['State Privacy Laws (US)',
'Potential GDPR (EU, e.g., '
'Elvira Olguín in Spain)',
'Canadian Privacy Laws']},
'response': {'communication_strategy': ['Bankruptcy hearing notices '
'(confusing to customers)',
'Judge clarifications (no lawsuits '
'against individuals)',
'Media silence (23andMe lawyers '
'declined comment)'],
'recovery_measures': ['Class-action settlements',
'Identity verification for claimants',
'Fraudulent claim investigations'],
'remediation_measures': ['Bankruptcy filing (March 2024)',
'Asset sale ($300 million, June 2024)',
'Settlement proposals (US/Canada)']},
'stakeholder_advisories': ['Bankruptcy court hearings (Sept 2024, Nov 2024)',
'Settlement approval hearings (Jan/Feb 2025)'],
'title': '23andMe Data Breach (2023)',
'type': ['Data Breach', 'Privacy Violation']}