Technical writing
The Custody Chain: Fifteen Million Genomes, One Bankruptcy Court
A DNA test is a strange thing to own, because it is never only yours — it is a quarter of each parent, half of each child, a measurable fraction of relatives who never consented to anything. Between 2023 and 2026, the largest consumer collection of that data passed through a breach, two regulators, a congressional gauntlet, and a bankruptcy auction. Every step is in the public record. Read in order, the record answers a question most customers never thought to ask: who has custody of a genome, and what happens to it when the company holding it fails?
The password was the door
The attack was not an exotic one. Beginning in late April 2023 — about 5 months before anyone knew — a threat actor worked through login pages with passwords reused from other sites' old breaches. By the company's own account, roughly 14,000 accounts, one tenth of one percent, were opened this way. The damage multiplied through design: the DNA Relatives feature, built to connect genetic kin, let each opened account read profiles across the network — approximately 5.5 million DNA Relatives profiles and another 1.4 to 1.5 million Family Tree profiles, per the company's SEC filings.
A note on the famous number: the widely cited 6.9 million total appears in no 23andMe SEC filing or blog post — it is the sum of those categories, later confirmed by the company to reporters, put at approximately 7 million in its own bankruptcy filings, and fixed by the UK regulator at exactly 6,984,430. The components are the company's numbers; the total is everyone else's arithmetic.
What the regulators found
The UK Information Commissioner's penalty notice — 153 pages, issued jointly with Canada's privacy commissioner in June 2025 — is the sharpest technical account on record, and it is unsparing. At the time of the attack, 0.2 percent of customers worldwide had multi-factor authentication enabled. Not one account protected by single sign-on was breached. The company's own compromised-credential check ran against a list of about 20,000 passwords while its subscription to a database of more than 14 billion breached credentials went unused. The fine — £2,310,000 — was itself a document of the company's condition: reduced from a proposed £4.59 million because the regulator doubted the company could pay.
The lists
What separates this breach from a thousand others is documented in court filings and congressional letters, and this ledger reports it at exactly that strength: the stolen profiles were sorted by ancestry and offered for sale as curated lists — approximately one million profiles of people with Ashkenazi Jewish heritage, and hundreds of thousands of people of Chinese descent, at asking prices of one to ten dollars per record. The federal court overseeing the class action put it plainly in a December 2024 order: the attackers “specifically targeted 23andMe customers of Ashkenazi Jewish and Chinese descent, offering their data for sale on the dark web.” Genetic data is not just personal; it is categorical — a fact the law had not priced in.
An asset called you
When 23andMe filed Chapter 11 in March 2025, the genetic database of roughly 15 million customers became what everything becomes in bankruptcy: an asset. Federal law was almost silent about this. The Bankruptcy Code's definition of personally identifiable information — the thing a Consumer Privacy Ombudsman exists to protect — does not mention genetic data at all. HIPAA never applied to a direct-to-consumer testing company. GINA, the 2008 genetic-nondiscrimination law, stops at employment and health insurance — it says nothing about life, disability, or long-term-care coverage.
So the machinery of commercial insolvency processed the genome collection like inventory, with three safeguards the record shows working overtime. The FTC's chairman wrote to the trustee insisting any buyer be bound by the privacy promises made to customers. A court-appointed Consumer Privacy Ombudsman filed a 211-page report on whether and how such a sale could proceed. And 27 states plus the District of Columbia sued outright, arguing customers own their genetic information and it cannot be sold without express consent. The auction itself told the story of the asset's worth: opening bid $52 million, a pharmaceutical company winning at $256 million, the auction reopened, and a final price of $305 million — paid by a nonprofit founded by the company's own co-founder and former chief executive, pledging to honor the existing privacy commitments. Customers voted with the delete button: the court's own opinion records approximately 1.9 million account deletions after the filing (a Senate transcript from the same week says 1.3 million — the record conflicts, so this ledger publishes both).
The dateline
17 of the 42 documented events; the full chain, each with register, procedural status, and source, ships in the Genetic Privacy Ledger.
Still resolving
Three separate money tracks are still closing, and the discipline of this ledger is to state each at its procedural strength. The private class settlement — $30 million when agreed in 2024 — was re-cut through the bankruptcy into a fund whose enlarged $46.75 million final approval has so far been reported by press but not yet reproduced from a court record. Forty-two attorney-general offices signed an $18 million stipulation in July 2026 — resolving governmental claims filed at a face amount of roughly $100 billion — that awaits a judge's signature. And California, which signed neither, sues on alone. The corporate story, at least, has an ending: the selling shell, renamed Chrome Holding Co., deregistered its securities in December 2025. 23andMe the public company no longer exists; the database it built does.
The legacy is statute
The durable residue of the whole affair is law. Twelve states — from Arizona and Utah in 2021 to South Dakota in 2026 — now have near-template direct-to-consumer genetic-privacy statutes: express consent, separate consents per purpose, deletion of data, destruction of the physical sample. Most are enforced by attorneys general at $2,500 a violation; Illinois' older act and Wyoming's let individuals sue directly. A second phase is already legislating against the next fear — foreign-adversary access to genomic data. And in Congress, the narrow fix sits in committee: the Don't Sell My DNA Act would add genetic information to the Bankruptcy Code's definition of personally identifiable information, so that the next time a genome collection meets an auction, the law will at least know what it is looking at.
Every figure is drawn from the Genetic Privacy Ledger (42 documented events, 18 statute rows, as of 2026-07-18); keyless JSON at /genetic-privacy/index.json, CC BY, zero personal data. Events carry one of three procedural statuses; figures not yet adjudicated are identified as such. No leaked material was accessed, cited, or linked; the targeting of customers by ancestry is reported at the strength of the court and congressional record only. Naming rules: data standards.
Related writing: Information Rights Have Two Sides — the global access/privacy statute map this ledger extends to genetics.
Related dataset: The Genetic Privacy Ledger — 12 state DTC statutes, 42 events, keyless JSON, CC BY.