Checklist 396: 23andMe and NPD, Revisited

23andMe Data Breach Fallout: Settlement, Financial Struggles, and Potential Sale Raise Concerns

A year after 23andMe’s data breach exposed millions of users’ genetic information and personally identifiable details, new developments are adding frustration for those affected. The initial breach, discussed on Checklist No. 348, began with hackers releasing user information, and by December 2023, an estimated 7 million users were believed to have been impacted. Now, the company has reached a settlement to resolve claims tied to the incident.

Settlement Details 

According to a report from The Register, 23andMe has agreed to a $30 million settlement over the breach, which affects around 6.4 million users. The deal includes three years of privacy, medical, and genetic monitoring for those impacted. While $30 million may sound substantial, it equates to roughly $4.70 per person. However, this amount hinges on how many individuals submit claims, potentially raising compensation for those who do file. Notably, insurance is expected to cover $25 million of the settlement costs, with 23andMe directly paying only $5 million.

Financial Uncertainty and Possible Sale 

Despite having $170 million on its balance sheet, the company has faced significant financial challenges, reporting tens of millions in losses per quarter. A recent article from Forbes indicates that 23andMe is exploring a potential sale to alleviate its financial strain. This move has raised concerns about the future handling of the genetic data from over 15 million customers. 

The Forbes piece emphasizes that new ownership could bring different priorities regarding the use of genetic data, potentially leading to uses not initially consented to by customers. This could include access by insurance companies, pharmaceutical firms, or even law enforcement agencies.

Legal Protections and Gaps  

Questions about medical privacy laws such as HIPAA (Health Insurance Portability and Accountability Act) have also surfaced. The report notes that HIPAA does not cover data held by direct-to-consumer genetic testing companies like 23andMe. While health insurers cannot use genetic data to deny coverage, life and disability insurance companies are not subject to the same restrictions, raising concerns about potential misuse of this information.

What’s Next for Customers?

For those whose data was exposed in the breach, options are limited. As the report notes, once data is shared, it is nearly impossible to control its future use. Customers may find themselves hoping for the best or regretting past decisions. As one commentator quipped, building a time machine might be more feasible than fully safeguarding one’s genetic information after the fact.

Data Broker National Public Data Faces Bankruptcy Amid Massive Breach and Litigation

In the aftermath of a significant data breach, Florida-based data broker National Public Data (NPD) has filed for Chapter 11 bankruptcy, grappling with legal challenges and a flood of litigation. According to a recent report from TechCrunch, the company’s downfall followed the loss of millions of Social Security numbers and other sensitive information, impacting potentially hundreds of millions of records earlier this year.

The Data Breach and Its Scale  

NPD’s breach was first detailed in Bleeping Computer back in August, with nearly 2.7 billion records of personal information—including names, Social Security numbers, physical addresses, and possible aliases—leaked on a hacking forum. Notably, this staggering number reflects multiple records for individual people across various known addresses, rather than data for 2.7 billion distinct individuals.

NPD’s business involved collecting and selling personal data for purposes like background checks, criminal record access, and services for private investigators. Although some data was scraped from public sources, it’s now clear that NPD also purchased bulk data, adding another layer to the complexities of the breach.

Financial Troubles and Legal Issues 

As the company faces increasing legal scrutiny, it has admitted that it’s unlikely to cover its liabilities, including costs for credit monitoring for those affected by the breach. NPD’s parent company, Jericho Pictures, revealed to the bankruptcy court that they are battling regulatory actions from the Federal Trade Commission and more than 20 states.

NPD’s financial difficulties echo those of other data-heavy companies facing breaches. According to TechCrunch, NPD recorded net profits of $475,526 in 2022 and $865,149 in 2023, but much of this revenue went toward buying bulk data and compensating Salvatore Verini, the company’s owner and sole operator.

From Data Broker to Hollywood Story  

Adding a twist to the story, NPD’s parent company, Jericho Pictures, is led by Salvatore Verini—a relatively unknown actor, writer, and producer. The Register highlights how Verini operated the business from his home, relying on modest hardware, including two HP Pavilion desktops, a ThinkPad laptop, and a few Dell servers. Despite the tech setup, NPD’s resources also include databases of sensitive information, such as records of individuals licensed to prescribe controlled substances and those with concealed carry permits.

Verini’s financial missteps and the company’s vulnerable data practices are now at the center of the ongoing legal battles and bankruptcy proceedings. As TechCrunch notes, the company has revealed ownership of 27 domains related to its services, each with a value of about $25.

A Wild West of Data 

The breach of NPD shines a light on the broader issues within the data broker industry. Lena Cohen, a staff technologist with the Electronic Frontier Foundation (EFF), described the industry as “the wild west of unregulated surveillance.” She emphasized the challenges faced by individuals trying to protect their privacy in an opaque and largely unregulated market, where personal data can be bought and sold with limited oversight.

What Can Affected Individuals Do? 

Those who suspect their information may have been part of the breach can visit dedicated sites like npdbreach.com or npd.pentester.com to check their exposure. If data has been compromised, a number of steps are recommended by SecureMac, other privacy-focused websites, and the U.S. Government, which were extensively covered in Checklist No. 389. For more details on those measures, affected users can consult the SecureMac website at SecureMac.com/checklist.