I will allow my past comments to speak for themselves.

https://news.ycombinator.com/item?id=38857170

https://news.ycombinator.com/item?id=38857228

https://news.ycombinator.com/item?id=38857476

> I will eat crow if it comes to light that this was entirely unavoidable on 23andme's part. (me)

> You won’t have to. They could have forced MFA and been done with it. That doesn’t make it their fault that they didn’t. It just means they could have done better and assumed that at least some users (read: most) are ignorant about best practices with sensitive data. It’s not something they would be legally culpable for, though.

This class action and the £2.3M extracted by a UK regulator sure feels like legal culpability. There must be consequences, otherwise nothing will change. I accept some action vs no action, when perfect is out of reach. We are building systems, requiring constant tuning and improvement.

Closing the loop on this provides an immutable case study on this topic.

(i manage and am responsible for systems that protect enterprise and customer data for millions of customers at a fintech, I take this work seriously, because someone should; if you want better behavior, we need better legal tools to go after corporations for this)