Comment by jonstewart
Comment by jonstewart 10 months ago
They also just settled a class-action lawsuit stemming from their data breach: https://www.bleepingcomputer.com/news/security/23andme-to-pa...
Comment by jonstewart 10 months ago
They also just settled a class-action lawsuit stemming from their data breach: https://www.bleepingcomputer.com/news/security/23andme-to-pa...
My HSA emailed me and said “woopsies, we leaked all your data”.
And…? You’re going to try and give me credit monitoring when I literally have 2 overlapping credit monitoring offers from the other companies that leaked my data?
> The government should be able to disolve the company and give the money to the victims
I feel you, but my understanding is without clear monetary impact, its hard to collect any amount of money from these companies. Even if you experience identity theft, whose to say this vs one of the other data leaks was the issue.
Yes. That's the current state of things. And we want it to not be the state of things.
> data-breaches could carry the death penalty for companies
One, corporate death penalties are nonsense. They’re a distraction from fines.
Two, what would America pay for its adversaries to enact such a policy. Automatic self destruct for the entire data sector.
I agree that a 'corporate death penalty' would be enormously open to abuse, sector rivals would be even more incentivised to industrial espionage for one thing...
But 'a distraction from fines'? Fines do nothing to help those affected by such breaches. Even class action lawsuits usually result in symbolic payouts to individual victims. Given the potential consequences of these breathes - especially in the health space, criminal prosecution for those executives responsible seem appropriate, commensurate and incentivising.
> But 'a distraction from fines'? Fines do nothing to help those affected by such breaches
Bigger fines. Fines that bankrupt the company. Note: bankrupt. Not shut down. Clean out the shareholders and upper management, possibly spin some stuff off or even break it up. (There is this popular conception that bankruptcy means an F-35 bombs the company’s offices and factories and it’s plain wrong.)
Corporate death penalty is a distraction from bigger fines.
> I think data-breaches could carry the death penalty for companies.
The ironic thing is: why pay for their data now when it's out there already?
Sounds like they played themselves
Because most companies aren't going to go out to the dark web and buy breached data with bitcoin?
To those wondering why the quotes are given, I assume it's because no 23andMe system was compromised.
The data was retrieved via credential stuffing, which is trying username/email and password combinations from other data breaches.
It can be argued that 23andMe should have had stricter login requirements (e.g. require MFA, require longer passwords) and by failing to do so they were responsible for the leaked data. Or you can argue that the users didn't protect their own data since they didn't use long, secure passwords that were unique per website.
I think data-breaches could carry the death penalty for companies.
I just got a notification from some health services company that my and my toddlers data was accessed. Including medical history, diagnoses, payment details, SSN, birthday. Why was this not encrypted? Given the world today, this is negligent. The government should be able to disolve the company and give the money to the victims.
If there was a willful disregard for "common security and privacy standards", criminal charges against the executive team.
You want my personal life data? It comes with steep personal risk.