Estimated reading time: 3 minutes
A U.S. bankruptcy judge has approved a cyber liability insurance policy buyback that will allow the company once called 23andMe (now Chrome Holding Co.) to transfer $16.5 million in cash from its cyber insurers to those impacted by its hack (see the key legal document below). The legal decision this week is a step toward resolving a tangled set of legal disputes that started with a 2023 hack (via “recycled login credentials”) that exposed ancestry and genetic health data of roughly 7 million 23andMe customers.
Cyber Coverage Was “Wasting”
23andMe had $25 million in cyber insurance that was supposed to pay for lawsuits and victim compensation after the hack. But the insurance coverage was “wasting” (or “eroding”) as it paid for lawyers involved in the hacking lawsuits and related issues in the ongoing bankruptcy of 23andMe. If nothing changed, the remaining money would have keep disappearing as legal bills piled up, possibly leaving little or nothing for hacked users. The cash can now be used to settle various lawsuits against the company.
Cyber Insurance Policy Buy Back
The new deal is a “policy buyback.” The insurers (Lloyd’s of London syndicates, HCC Global, Allied World, and Landmark American) pay the full $16.5 million that’s left and walk away — no more bills, no more fights. That cash goes some of the way to paying settlements totaling around $60–$62 million (a $30–$50 million U.S. class action, Canadian payouts, a Pixel-tracking case, and 32,000 individual arbitrations).
This cyber insurance “policy buy back” is based on a concept used in other types and cases of litigation. In 2024–2025 alone, according to media reports, a Catholic Diocese did an $85 million liability-policy buyback to settle abuse claims, and several insurers in the Celsius crypto collapse sold back policies for millions to exit fast.
Watch: Data Collection and the Meta Pixel Issue Discussed On The Cyber Insurance News Podcast
Who Wins?
Supporters of the decision consider it a win/win for the parties and efficiency of the bankruptcy process.
- For customers (the 7 million affected users): Without the buyback, ongoing lawyer fees could have eaten much of the insurance, leaving less money to share. Now the full $16.5 million is locked in and will go toward real payouts (most people get $100–$500 cash plus credit monitoring; some with proven harm get up to $10,000).
- For the company: It stops the slow bleed of its insurance and removes the insurers from the picture completely. That makes the Chapter 11 bankruptcy cleaner and faster and help 23andMe finish its recent sale to a new owner (a nonprofit tied to co-founder Anne Wojcicki) for $305 million and exist the bankruptcy process.
Bizarre Twist: Users Targeted by Hackers for their Specific Genes?
One of the suits against 23andMe alleged that customers with Chinese and Ashkenazi Jewish heritage were specifically targeted and their personal genetic information included in “specially curated lists” sold on the dark web.
RELATED CYBER LIABILITY INSURANCE POSTS
