Your DNA, Their Data, Our Problem
When 23andMe announced a $30 million class-action settlement over a data breach that exposed the genetic information of nearly 7 million users, mainstream outlets framed it as consumer recourse. The company, valued at $795 million as of March 2024, saw its stock price drop following the 2023 incident, which involved 'credential stuffing' attacks. The breach allowed malicious actors to access
sensitive data, including ancestry reports and health predisposition information, often linked to user's relatives. What mainstream reports typically omit is the long game. Genetic data, far beyond a credit card number, is a permanent identifier. This isn't groundbreaking; as early as 2013, the 'DoD Human Genome Project' explored mass data collection, and by 2015, the National Institutes of Health
launched the 'All of Us' research program, accumulating vast quantities of genetic information. The settlement, equating to roughly $4.35 per affected user if every eligible person claims, stands in stark contrast to the immense value this data holds for pharmaceutical companies, insurance providers, and even government institutions for research, profiling, and control. This pattern of
corporations collecting hyper-specific personal data, failing to secure it, and then suffering minimal financial consequences while retaining valuable insights from the breach itself is a recurring motif. The punitive damage is negligible for a company with 14 million users on file, whose core business model revolves around the aggregation and analysis of this very sensitive information. What is