NextFin News - A Canadian court has approved a $3.25 million settlement for victims of the 2023 23andMe data breach, marking a rare instance where a Canadian class action has been successfully resolved within the complex machinery of a U.S. Chapter 11 bankruptcy proceeding. The settlement, finalized on Friday, provides a financial coda to a security lapse that exposed the genetic and personal data of millions, ultimately pushing the Silicon Valley pioneer into insolvency and a controversial buyback by its founder.
The agreement covers Canadian residents who were customers between May 1 and October 1, 2023, and received notification that their data was compromised. Under the terms approved by the court, eligible claimants have until June 25, 2026, to file for compensation. Sage Nematollahi, a lawyer at Toronto-based KND Complex Litigation who served as class counsel, characterized the deal as an "excellent result," noting the procedural difficulty of extracting a settlement from a company already undergoing a court-supervised liquidation and asset sale in a foreign jurisdiction.
The breach, which occurred in late 2023, was not a direct hack of 23andMe’s central database but rather a "credential stuffing" attack where hackers used passwords leaked from other sites to access individual accounts. Once inside, they exploited the "DNA Relatives" feature to scrape data from millions of other users who had opted into the sharing tool. The fallout was catastrophic for 23andMe’s valuation and reputation, leading to a March 2025 bankruptcy filing as the company buckled under the weight of declining sales and mounting legal liabilities.
The path to this settlement was cleared only after a dramatic corporate restructuring. In June 2025, 23andMe co-founder Anne Wojcicki regained control of the company’s core assets through her newly formed nonprofit, TTAM Research Institute. The $305 million acquisition outbid a $256 million offer from biotech giant Regeneron Pharmaceuticals. By shifting the assets into a nonprofit structure, Wojcicki argued she could better protect genetic privacy, though the move drew skepticism from some investors who saw it as a way to shield the business from the full brunt of public market scrutiny and previous debts.
While the $3.25 million figure provides some closure for Canadian victims, the individual payouts are expected to be modest once legal fees and administrative costs are deducted. This highlights a persistent tension in data privacy litigation: while the aggregate settlements sound substantial, they rarely compensate for the permanent nature of a genetic data leak. Unlike a stolen credit card number, a leaked DNA profile cannot be changed, leaving victims with a lifelong digital footprint that could theoretically impact future insurance premiums or employment, despite current legal protections against genetic discrimination.
The resolution of the Canadian claim also serves as a bellwether for how international courts handle the cross-border insolvency of tech firms holding sensitive personal data. By integrating the Canadian settlement into the Chapter 11 process, the court has established a blueprint for future privacy-related class actions involving multinational corporations. However, the survival of 23andMe under the TTAM Research Institute banner remains a subject of intense debate among privacy advocates, who question whether a nonprofit structure truly mitigates the inherent risks of centralized genetic databases.
Explore more exclusive insights at nextfin.ai.
