Kevin Szczepanski, Data Security & Technology Practice Area co-chair, was featured in the InformationWeek article “23andMe $30M Data Breach Settlement: How Valuable Is Genetic Data?” In 2023, genetic testing company 23andMe experienced a significant data breach, leading to the exposure of sensitive personal and genetic information from approximately 6.9 million customers. The breach resulted from a credential-stuffing attack, where hackers used previously compromised credentials from other platforms to access 23andMe accounts. The stolen data, which included names, birth years, ancestry details, and in some cases, health and raw genetic information, was later sold on dark web forums, with certain groups being specifically targeted.
As a result, 23andMe faced numerous class-action lawsuits, culminating in a proposed $30 million settlement. This settlement will cover compensation for affected customers and provide them with identity and genetic monitoring services. “If 23andMe did not have cyber insurance, this might be an enterprise-ending litigation,” said Kevin. After the settlement, seven members of the 23andMe board of directors resigned, about which Kevin said, “I think it shows how data breaches and resulting class action litigation can inflict serious financial and reputational harm on a company, often at the worst possible time.”
Although 23andMe denies any wrongdoing, it has agreed to enhance its security measures, such as mandating two-factor authentication, conducting annual cybersecurity audits, and improving protocols for handling inactive accounts.
This incident has raised concerns about the value and vulnerability of genetic data. While such information can be crucial for healthcare and research, its sensitivity also makes it a lucrative target for cybercriminals. Kevin said, “The world is a dangerous place. So, if there is data out there that can identify by name, address, location, certain categories of individuals, there’s always a safety risk . . . whether it’s electronic attacks or even physical attacks.” The breach highlights the need for stronger security measures in companies dealing with highly personal data and raises questions about the future regulation of genetic data privacy.
The settlement, still pending judicial approval, is seen as a necessary step to resolve the legal claims. However, the breach has damaged 23andMe's reputation and highlighted the broader risks associated with storing personal genetic information online. Countries like Canada and the UK have launched investigations, indicating the global scale of the issue.
Click here to read the full article.