Description: In October 2023, **23andMe** suffered a **massive data breach** exposing the **personal and genetic information** of approximately **6.4 million U.S. customers**. The breach resulted from a **cyberattack** where threat actors accessed highly sensitive data, including **raw genotype data, health reports, and self-reported health conditions**. The company faced a **$50 million class-action settlement**, offering affected users compensation (up to **$10,265 per claimant**) for identity fraud, mental health treatment, and other damages. The breach also triggered **five years of free genetic and privacy monitoring** for victims. The incident severely damaged **customer trust**, led to **legal and financial repercussions**, and highlighted the company’s **failure to secure biometric and health data**, which is among the most sensitive categories of personal information. The breach impacted individuals across the U.S., with additional statutory penalties for residents in **California, Illinois, Oregon, and Alaska** due to stricter state privacy laws.

Description: In 2023, **23andMe** suffered a major data breach exposing highly sensitive genetic and ancestry data of nearly **7 million users**. The compromised information included **chromosomal haplogroups, family tree details, and ancestry profiles**, with ethically charged consequences—such as curated dark web lists targeting individuals of **Jewish and Chinese descent**. Initially, the company **blamed users for weak passwords**, exacerbating public distrust. The fallout led to a **costly class-action lawsuit**, severe reputational damage, and heightened scrutiny over the company’s data stewardship practices. The breach underscored the risks of mishandling **biometric and genetic data**, which, unlike financial records, **cannot be changed if exposed**. The incident also highlighted systemic failures in **incident response, transparency, and ethical data management**, reinforcing the need for stricter protections around **health-related and personally identifiable information (PII)**.

Description: The genetic testing company **23andMe** faced a significant data breach exposing customers' personal and genetic information. The breach led to legal claims from affected users, prompting the company to propose settlements as part of its ongoing **Chapter 11 bankruptcy proceedings**. The exposed data included sensitive customer details, raising concerns over privacy, identity theft, and potential misuse of genetic information. The breach’s financial and reputational fallout contributed to the company’s restructuring efforts, with a judge reviewing settlement approvals to resolve customer claims. The incident underscores the severe consequences of failing to protect highly personal data in the biotech sector, particularly when such information can have long-term implications for individuals' health, insurance, and security.

Description: The California Office of the Attorney General reported a data breach involving 23andMe, Inc. on January 21, 2024. The breach occurred on two dates: April 29, 2023, and September 27, 2023. The breach involved the unauthorized access to personal information of customers, including genetic data and other sensitive information. The incident highlights the vulnerability of genetic testing companies to cyber threats and the potential for significant data leaks.

Description: Fallen DNA testing firm 23andMe won court approval of a bankruptcy plan that includes settlements to provide up to $62 million to resolve thousands of data breach claims. Judge Brian C. Walsh of the US Bankruptcy Court for the Eastern District of Missouri approved the plan in a Wednesday order, overruling most creditor objections and challenges from data breach victims. Many of those former customers’ objections were deemed moot or premature, and several of them didn’t appear at a court hearing on the plan. Objections from the Justice Department’s bankruptcy watchdog and a coalition of state attorneys general were resolved ...

Description: 23andMe, a company offering personal genetic testing services, has faced bankruptcy protection while holding a vast collection of sensitive genetic data. Privacy risks are heightened as this data might fall into new hands during a sale process, raising concerns over data protection and potential misuse. Legal frameworks like California’s right to deletion offer some safeguards, yet a national health privacy law in the US is lacking, leaving many customers vulnerable. Customers are advised to download and then request deletion of their personal genetic data to ensure their privacy.

Description: In October 2023, **23andMe** suffered a **massive data breach** exposing the **personal and genetic data of nearly 7 million users**, including highly sensitive DNA profiles, health records, and personally identifiable information (PII). The breach led to severe consequences for affected individuals, including **identity theft, targeted harassment (especially against LGBTQ+ members like Salman Jaberi), mental health deterioration (e.g., Elvira Olguín’s vascular episode and vision loss due to stress), and financial fraud**. The company filed for bankruptcy in March 2024, facing **over 250,000 claims** (many suspected fraudulent) tied to the incident, with settlements proposed at **$30M–$50M (US) and $3.25M (Canada)**—far below the claimed **$51 trillion** in damages. Victims reported **long-term risks**, such as nation-state exploitation of immutable DNA data, while the company struggled to verify legitimate claims. The breach’s **unique harm**—irreplaceable genetic data—heightened distress, with many users feeling the settlements provided **insufficient relief** for ongoing damages like privacy protection costs, medical expenses, and emotional trauma.

Description: 23andMe, a DNA testing company, filed for Chapter 11 bankruptcy in March 2025 following a **2023 data breach** that exposed the personal and genetic data of **nearly 7 million customers**. The breach triggered **dozens of lawsuits globally**, leading to settlements totaling up to **$62 million** for affected claimants, including a **$9 million arbitration settlement** for 32,000 customers, a **$30–$50 million US class-action fund**, and a **$3.25 million Canadian class fund**. The company’s financial collapse was accelerated by **declining demand** and the breach’s reputational and legal fallout. Over **157,000 fraudulent claims** were later identified and removed. The breach forced asset liquidation, including a **$300 million sale** of core assets to co-founder Anne Wojcicki and a **$10 million sale** of its telehealth subsidiary, Lemonaid. The incident also sparked **privacy concerns from over 30 US states**, leading to disputes over liability protections in bankruptcy proceedings. The company is now winding down operations under court supervision, with ongoing negotiations for cyber-insurance settlements and creditor agreements.

Description: In 2023, **23andMe** suffered a **credential stuffing attack** where cybercriminals exploited recycled login credentials from prior breaches to infiltrate ~14,000 user accounts. Due to the company’s **DNA Relatives** and **Family Tree** features—linking users via genetic data—the breach escalated, exposing **6.9 million profiles** (5.5M DNA Relatives + 1.4M Family Tree records). The attack stemmed from **weak password policies**, lack of **rate-limiting on login APIs**, and **password reuse** by users. Regulatory fallout included a **£2.31 million fine** (2025) from the UK’s **Information Commissioner’s Office (ICO)** for failing to protect personal data. The incident highlighted systemic vulnerabilities in **authentication mechanisms** and **data interconnectivity**, enabling a localized breach to spiral into a **mass genetic data exposure** with long-term privacy and fraud risks for affected individuals.

Description: 23andMe discovered that specific customer profile data that customers had agreed to share through their DNA Relatives function had been gathered from individual accounts without the users' consent. They launched an investigation as soon as they became aware of any suspicious conduct. While they are still looking into this situation, they think that when individuals reused login information, threat actors may have gained access to some accounts. According to the company, the threat actor may then have accessed certain 23andMe.com accounts without authorization in violation of their Terms of Service and obtained information from those accounts, including details about users' DNA Relatives profiles, to the extent a user opted into that service.