Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
In Re: 23andMe, Inc. Customer Data Security Breach Litigation(23andmedatasettlement.com)
51 points by toomuchtodo an hour ago | 27 comments
TheBlight an hour ago | parent | next [-]

If you type something into the computer you should assume everyone in the world will eventually be able to see it.

If you send your DNA to a company in the mail you should assume everyone in the world will eventually be able to see it.

bsimpson an hour ago | parent | prev | next [-]

I've had 23andme since ~2012. Haven't received a single email from/about 23andmedatasettlement.com

babelfish an hour ago | parent [-]

It would have been from 23andmebankruptcynoticing@noticing.ra.kroll.com

tomrod 42 minutes ago | parent [-]

Ah, certainly not a spam email.

toomuchtodo an hour ago | parent | prev | next [-]

Related:

DNA testing firm 23andMe fined £2.3m by UK regulator for 2023 data hack - https://news.ycombinator.com/item?id=44300220 - June 2025 (1 comment)

23andMe tells victims it's their fault that their data was breached - https://news.ycombinator.com/item?id=38856412 - January 2024 (368 comments)

zdw an hour ago | parent | prev | next [-]

Can I file a claim if I'm related to folks who shared their (and by extension, my) DNA with this company?

SoftTalker an hour ago | parent | next [-]

This will basically be everyone in the world. Could be the largest class action ever?

2muchcoffeeman 37 minutes ago | parent [-]

Oprah spruiked 23andMe.

Can people sue Oprah?

iwontberude 27 minutes ago | parent [-]

Since when is spruiking a liability?

windexh8er 37 minutes ago | parent | prev [-]

I may actually try my hand in conciliation court against them on this one. I received a test kits back around 2015 from a family member, but was disgusted at the idea that there was no possible way they 1) wouldn't go under and sell my data 2) be breached. I feel like these sort of outcomes for these types of services are very obvious as highly likely to anyone who works in proximity to tech, and especially startups.

Anyway, I never submitted the test. But I know for a fact that family has. It's really annoying to that others can make these sort of linked decisions for you - especially as we are now acutely aware that this type of data can, will and I'm sure is being used in ways that basically nobody would consent to.

LurkandComment an hour ago | parent | prev | next [-]

What if you're Canadian?

atulvi an hour ago | parent [-]

I want to know this too.

ilamont 36 minutes ago | parent | prev | next [-]

When this blew up, the breach had been ongoing for months and 23andme had no clue. The company immediately blamed customers for sharing passwords, and strenuously avoided any mention of admitting it was in fact a hack.

https://techcrunch.com/2023/10/10/23andme-resets-user-passwo...

The hack was yet another failure in a long list under the CEO: Failed execution on the drug development strategy, lying about growth, pushing out the cofounder, never making a profit, FDA warning letters, ditching its genealogy tools, screwing over investors, screwing over the board, and so on.

The company she bankrupted was about to be sold to Regeneron - probably the best option for everyone - when her "nonprofit" swooped in with a high bid.

https://www.medtechdive.com/news/anne-wojcicki-buy-23andme-b...

coolThingsFirst an hour ago | parent | prev | next [-]

2 measly SQL injections and down goes 23andMe.

arnonejoe an hour ago | parent | prev | next [-]

Give each victim 100 shares of company stock. You lose your company to the people that you hurt. Seems fair.

tomrod 41 minutes ago | parent | next [-]

That's just bankruptcy with extra steps. You're giving an asset which has no value immediately after the action.

loloquwowndueo 40 minutes ago | parent | prev [-]

*lose

arnonejoe 27 minutes ago | parent [-]

Thank you ;)

SilverElfin an hour ago | parent | prev [-]

> Up to $10,000 for Extraordinary Claims; > Up to $165 for Health Information Claims; > An estimated $100 for Statutory Cash Claims; and > 5 years of Privacy & Medical Shield + Genetic Monitoring

None of these make the victims whole. The typical customer would rather pay $1000 to not have their private medical records stolen. Giving them just $165 or a few years of monitoring is insulting. What does that monitoring even achieve?

toomuchtodo an hour ago | parent | next [-]

There is no way to make victims whole for this negligence; what is on offer is arguably the best that can done for a failure to properly implement customer identity and access management systems and processes for personal genomic user data.

(disclosure: I am a member of the class, as is most of my family, no other affiliation)

uoaei an hour ago | parent [-]

This kind of fatalism is the antithesis of proper legal thought and practice as it pertains to real harm.

Precedent is everything, the members of the class who drag down expectations for the rest of us are actively committing harm by denying a resolution to our collective claims. Solidarity is the sole responsibility of a class of people.

toomuchtodo 9 minutes ago | parent | next [-]

I will allow my past comments to speak for themselves.

https://news.ycombinator.com/item?id=38857170

https://news.ycombinator.com/item?id=38857228

https://news.ycombinator.com/item?id=38857476

My favorite reply at that time:

> I will eat crow if it comes to light that this was entirely unavoidable on 23andme's part. (me)

> You won’t have to. They could have forced MFA and been done with it. That doesn’t make it their fault that they didn’t. It just means they could have done better and assumed that at least some users (read: most) are ignorant about best practices with sensitive data. It’s not something they would be legally culpable for, though.

This class action and the £2.3M extracted by a UK regulator feel like legal culpability. There must be consequences, otherwise nothing will change. I accept some action vs no action, when perfect is out of reach.

Closing the loop on this provides an immutable case study on this topic.

(i manage and am responsible for systems that protect enterprise and customer data for millions of customers at a fintech, I take this work seriously, because someone should)

delichon an hour ago | parent | prev [-]

That might matter if 23andMe still had deep pockets, rather than being a bankrupt shell.

tomrod 38 minutes ago | parent [-]

Everyone who served on the board or worked for the company should be held liable, personally and in a piercing of the corporate veil.

Individuals had responsibility when they made these decisions. It is on the courts to make the victims whole, despite the shenanigans around corporate liability limits.

EDIT: I legitimately think that if we _don't_ hold individuals accountable for these sorts of data breaches of the most sensitive data imaginable then there is no sense to legal systems.

EDIT2: Assuming Gemini has any semblance of accurate information, here are some individuals to consider beginning with:

- Anne Wojcicki (Co-Founder, Chair of the Board)

    Estimated Net Worth: $150 Million - $270 Million (Note: Her net worth peaked significantly higher when 23andMe's valuation was high, but has been adjusted downward following the company's financial struggles and bankruptcy filing).

    Other Known Affiliations: Co-founder and board member of the Breakthrough Prize Foundation. Former wife of Google co-founder Sergey Brin.
- Andre Fernandez (Independent Director)

    Estimated Net Worth: At least $1 Million (based on reported stock holdings as of late 2025).

    Other Known Affiliations: Former CFO of WeWork Inc. and NCR Voyix Corp. Serves on the board of Cardlytics.
- Jim Frankola (Independent Director)

    Estimated Net Worth: At least $18 Million (based on reported stock holdings in late 2025).

    Other Known Affiliations: Former CFO of Cloudera Inc. and Ariba. Serves as a Director and Audit Committee Chair for Ansys, Inc.
- Mark Jensen (Independent Director, Lead Independent Director)

    Estimated Net Worth: At least $12.7 Million - $19.1 Million (Note: Public records show different individuals with similar names and varying net worths; this estimate is based on the director with experience as CFO of RedLeaf, Lattice Semiconductor, and ForeScout, who served as a Director for Lattice Semiconductor Corp and holds a significant position at American Resources Corp).

    Other Known Affiliations: Previous Audit Committee Chair for companies like Lattice Semiconductor and ForeScout.
- Neal Mohan (Past Independent Director)

    Estimated Net Worth: Not widely disclosed, but as CEO of a major tech platform, his compensation is substantial.

    Other Known Affiliations: Chief Executive Officer (CEO) of YouTube.
- Roelof Botha (Past Independent Director)

    Estimated Net Worth: $1.5 Billion - $2 Billion (primarily due to his role as a successful venture capitalist).

    Other Known Affiliations: Partner at venture capital firm Sequoia Capital.
- Patrick Chung (Past Independent Director)

    Estimated Net Worth: Not widely disclosed; compensation for his director role was reported in 2024.

    Other Known Affiliations: Co-founder and Managing Partner at Xfund.
- Peter J. Taylor (Past Independent Director)

    Estimated Net Worth: Not widely disclosed; compensation for his director role was reported in 2024.

    Other Known Affiliations: President of Greatland Investment Group; former CFO and Executive Vice President of PG&E Corporation.
- Richard Scheller, Ph. D. (Past Independent Director)

    Estimated Net Worth: Not widely disclosed; compensation for his director role was reported in 2024.

    Other Known Affiliations: Former Chief Science Officer and Head of Research and Early Development at Genentech.
- Sandra Hernández, M.D. (Past Independent Director)

    Estimated Net Worth: Not widely disclosed; compensation for her director role was reported in 2024.

    Other Known Affiliations: CEO of the California Health Care Foundation.
- Valerie Montgomery Rice, M.D. (Past Independent Director)

    Estimated Net Worth: Not widely disclosed; compensation for her director role was reported in 2024.

    Other Known Affiliations: President and CEO of the Morehouse School of Medicine.
delichon 27 minutes ago | parent [-]

  William Roper: “So, now you give the Devil the benefit of law!”

  Sir Thomas More: “Yes! What would you do? Cut a great road through the law to get after the Devil?”

  William Roper: “Yes, I'd cut down every law in England to do that!”

  Sir Thomas More: “Oh? And when the last law was down, and the Devil turned 'round on you, where would you hide, Roper, the laws all being flat? This country is planted thick with laws, from coast to coast, Man's laws, not God's! And if you cut them down, and you're just the man to do it, do you really think you could stand upright in the winds that would blow then? Yes, I'd give the Devil benefit of law, for my own safety's sake!”
― Robert Bolt, A Man for All Seasons: A Play in Two Acts
zeroonetwothree an hour ago | parent | prev [-]

You are free to opt out of the settlement and pursue your own claim.

SilverElfin 36 minutes ago | parent [-]

This is true of all class actions. But it’s not helpful that the only recourse for victims is to lose enormous amounts of money and time to get justice. This is a loophole that must be fixed.