Skip to Main Content
Services Talent Knowledge
Site Search
Menu

News

September 25, 2024

Kevin Szczepanski Featured in InformationWeek Article on 23andMe Data Breach Settlement

Kevin Szczepanski, Data Security & Technology Practice Area co-chair, was featured in the InformationWeek article “23andMe $30M Data Breach Settlement: How Valuable Is Genetic Data?” In 2023, genetic testing company 23andMe experienced a significant data breach, leading to the exposure of sensitive personal and genetic information from approximately 6.9 million customers. The breach resulted from a credential-stuffing attack, where hackers used previously compromised credentials from other platforms to access 23andMe accounts. The stolen data, which included names, birth years, ancestry details, and in some cases, health and raw genetic information, was later sold on dark web forums, with certain groups being specifically targeted.

As a result, 23andMe faced numerous class-action lawsuits, culminating in a proposed $30 million settlement. This settlement will cover compensation for affected customers and provide them with identity and genetic monitoring services. “If 23andMe did not have cyber insurance, this might be an enterprise-ending litigation,” said Kevin. After the settlement, seven members of the 23andMe board of directors resigned, about which Kevin said, “I think it shows how data breaches and resulting class action litigation can inflict serious financial and reputational harm on a company, often at the worst possible time.” 

Although 23andMe denies any wrongdoing, it has agreed to enhance its security measures, such as mandating two-factor authentication, conducting annual cybersecurity audits, and improving protocols for handling inactive accounts.

This incident has raised concerns about the value and vulnerability of genetic data. While such information can be crucial for healthcare and research, its sensitivity also makes it a lucrative target for cybercriminals. Kevin said, “The world is a dangerous place. So, if there is data out there that can identify by name, address, location, certain categories of individuals, there’s always a safety risk . . . whether it’s electronic attacks or even physical attacks.” The breach highlights the need for stronger security measures in companies dealing with highly personal data and raises questions about the future regulation of genetic data privacy.

The settlement, still pending judicial approval, is seen as a necessary step to resolve the legal claims. However, the breach has damaged 23andMe's reputation and highlighted the broader risks associated with storing personal genetic information online. Countries like Canada and the UK have launched investigations, indicating the global scale of the issue.

Click here to read the full article.

Subscribe

Click here to sign up for alerts, blog posts, and firm news.

Featured Media

Alerts

Key Affordable-Housing Provisions in the One Big Beautiful Bill Act

Alerts

What the One Big Beautiful Bill Act Means for Clean-Energy Tax Credits

Alerts

One Big Beautiful Bill Act Changes Tax Incentives for Charitable Giving

Alerts

Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Wislande Claude, Felipe Fernandez, Howard Wilson, Lisa Cantwell, and Erika Alexandria—Targeting Businesses in Recent Flurry of Lawsuits

Alerts

NYS Appellate Court Holds Family Members Are Not Bound by Arbitration Agreement Signed by Deceased Relative

Alerts

Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Milagros Senior, Sylinia Jackson, Edery Herrera, Henry Tucker, and Carlton Knowles—Targeting Businesses in Recent Flurry of Lawsuits