23andMe has recently come under fire due to a major data breach affecting nearly 7 million accounts and the alarming resignation of its entire board, leaving many wondering what will become of the genetic information of approximately 15 million users.
In November 2023, a class-action lawsuit was filed against 23andMe following a breach that disclosed personal and genetic information of nearly 6.9 million users, including names, contact details, and ancestry reports. This breach, which lasted several months before being disclosed, has led to allegations that the company failed to protect its users’ data adequately. Legal experts emphasize that federal protections for genetic data are notoriously weak, heightening concerns about how such sensitive information could be misused.
Despite 23andMe’s assurances regarding its commitment to user privacy, experts caution that the company’s current instability could jeopardize those promises. With a proposed $30 million settlement on the table, intended to compensate affected users and enroll them in a three-year privacy and medical monitoring program, many remain skeptical about whether these measures will effectively safeguard their data in the long run.
The breach was described as a “credential stuffing attack,” where hackers exploited stolen login credentials from a separate incident to access customer accounts. Alarmingly, the stolen data was reportedly concentrated among specific user demographics, raising fears that this may have been a targeted attack.
In light of these developments, many customers are reconsidering their engagement with the platform. Some are being advised to act quickly to request the deletion of their genetic data before potential further breaches or corporate decisions put that information at risk. This advice reflects a broader concern about the long-term implications of sharing genetic data with companies that may struggle to protect it.
The proposed settlement is pending approval from the U.S. District Court for the Northern District of California, where the court will assess whether the agreement is “fair, reasonable, and adequate.” The outcome could set a significant precedent for how companies handle genetic data in the wake of security breaches, underscoring the need for robust data protection measures.
