Skip to Main Content
Services Talent Knowledge
Site Search
Menu

News

September 25, 2024

Kevin Szczepanski Featured in InformationWeek Article on 23andMe Data Breach Settlement

Kevin Szczepanski, Data Security & Technology Practice Area co-chair, was featured in the InformationWeek article “23andMe $30M Data Breach Settlement: How Valuable Is Genetic Data?” In 2023, genetic testing company 23andMe experienced a significant data breach, leading to the exposure of sensitive personal and genetic information from approximately 6.9 million customers. The breach resulted from a credential-stuffing attack, where hackers used previously compromised credentials from other platforms to access 23andMe accounts. The stolen data, which included names, birth years, ancestry details, and in some cases, health and raw genetic information, was later sold on dark web forums, with certain groups being specifically targeted.

As a result, 23andMe faced numerous class-action lawsuits, culminating in a proposed $30 million settlement. This settlement will cover compensation for affected customers and provide them with identity and genetic monitoring services. “If 23andMe did not have cyber insurance, this might be an enterprise-ending litigation,” said Kevin. After the settlement, seven members of the 23andMe board of directors resigned, about which Kevin said, “I think it shows how data breaches and resulting class action litigation can inflict serious financial and reputational harm on a company, often at the worst possible time.” 

Although 23andMe denies any wrongdoing, it has agreed to enhance its security measures, such as mandating two-factor authentication, conducting annual cybersecurity audits, and improving protocols for handling inactive accounts.

This incident has raised concerns about the value and vulnerability of genetic data. While such information can be crucial for healthcare and research, its sensitivity also makes it a lucrative target for cybercriminals. Kevin said, “The world is a dangerous place. So, if there is data out there that can identify by name, address, location, certain categories of individuals, there’s always a safety risk . . . whether it’s electronic attacks or even physical attacks.” The breach highlights the need for stronger security measures in companies dealing with highly personal data and raises questions about the future regulation of genetic data privacy.

The settlement, still pending judicial approval, is seen as a necessary step to resolve the legal claims. However, the breach has damaged 23andMe's reputation and highlighted the broader risks associated with storing personal genetic information online. Countries like Canada and the UK have launched investigations, indicating the global scale of the issue.

Click here to read the full article.

Subscribe

Click here to sign up for alerts, blog posts, and firm news.

Featured Media

Alerts

USPTO Highlights Risks of Using AI for Inventive Process

Alerts

Navigating New York State's Expanded Regulatory Landscape: Implications for Health Care Transactions

Alerts

Mind the Gap: Recent UCC Filings Not Disclosed in a Search

Alerts

NYS Appellate Court: Insured's Investigative Statements to Liability Insurer Are Protected From Disclosure

Alerts

Beneficial Ownership Reporting Requirements Under the CTA: Third-Quarter Reminder

Alerts

Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Frank Senior, Joseph Ortiz, Juan Igartua, and Michael Saunders—Targeting Businesses in Recent Flurry of Lawsuits

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out