I've said it countless times now: until there is criminal liability for negligence with regard to data warehousing/safekeeping, this is going to keep happening. because they do not care, and will not care (regardless of what their PR puts out) until their toosh is on the line.
Every time there's a breach, they pull a British Petroleum "we're reallllly sorrrrrry" and buy a bunch of people LifeLock. Its absolute bullshit.
Why would 23andMe face any criminal liability? Per the article, they were never breached; only individual accounts with reused credentials exposed in other breaches. They should have had 2FA, but I don't think not having 2FA should be criminalized.
If a bank allowed people to log in to their bank account and make transfers based on only email+password and someone stole money from a bunch of accounts, would the bank face any criminal liability?
I don't know the answer, but I would say your DNA sequence should be secured similarly to your bank account.
I don’t know about criminal liability, but they’re certainly at fault for not implementing a check against known compromised passwords[1]. I believe it’s been an accepted best practice since something like 2017.
Every time there's a breach, they pull a British Petroleum "we're reallllly sorrrrrry" and buy a bunch of people LifeLock. Its absolute bullshit.