Skip to Main Content
Services Talent Knowledge
Site Search
Menu

News

September 25, 2024

Kevin Szczepanski Featured in InformationWeek Article on 23andMe Data Breach Settlement

Kevin Szczepanski, Data Security & Technology Practice Area co-chair, was featured in the InformationWeek article “23andMe $30M Data Breach Settlement: How Valuable Is Genetic Data?” In 2023, genetic testing company 23andMe experienced a significant data breach, leading to the exposure of sensitive personal and genetic information from approximately 6.9 million customers. The breach resulted from a credential-stuffing attack, where hackers used previously compromised credentials from other platforms to access 23andMe accounts. The stolen data, which included names, birth years, ancestry details, and in some cases, health and raw genetic information, was later sold on dark web forums, with certain groups being specifically targeted.

As a result, 23andMe faced numerous class-action lawsuits, culminating in a proposed $30 million settlement. This settlement will cover compensation for affected customers and provide them with identity and genetic monitoring services. “If 23andMe did not have cyber insurance, this might be an enterprise-ending litigation,” said Kevin. After the settlement, seven members of the 23andMe board of directors resigned, about which Kevin said, “I think it shows how data breaches and resulting class action litigation can inflict serious financial and reputational harm on a company, often at the worst possible time.” 

Although 23andMe denies any wrongdoing, it has agreed to enhance its security measures, such as mandating two-factor authentication, conducting annual cybersecurity audits, and improving protocols for handling inactive accounts.

This incident has raised concerns about the value and vulnerability of genetic data. While such information can be crucial for healthcare and research, its sensitivity also makes it a lucrative target for cybercriminals. Kevin said, “The world is a dangerous place. So, if there is data out there that can identify by name, address, location, certain categories of individuals, there’s always a safety risk . . . whether it’s electronic attacks or even physical attacks.” The breach highlights the need for stronger security measures in companies dealing with highly personal data and raises questions about the future regulation of genetic data privacy.

The settlement, still pending judicial approval, is seen as a necessary step to resolve the legal claims. However, the breach has damaged 23andMe's reputation and highlighted the broader risks associated with storing personal genetic information online. Countries like Canada and the UK have launched investigations, indicating the global scale of the issue.

Click here to read the full article.

Subscribe

Click here to sign up for alerts, blog posts, and firm news.

Featured Media

Alerts

RAPID Action: NYS Office of Energy Renewable Energy Siting and Transmission Announces Draft Regulations for New Transmission Siting Framework

Alerts

NYSDEC Issues Draft Freshwater Wetlands General Permit

Alerts

USPTO Updates Audit Program

Alerts

NYS DOL Publishes Long-Awaited FAQs on Paid Prenatal Leave Law

Alerts

Update on Massachusetts Pay Transparency Law Disclosures and EEO Reporting Requirements in 2025

Alerts

Massachusetts Employers Required to Provide Job Applicants Notice That Use of a Lie Detector Test Is Unlawful

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out