ISEDJ

Abstract: This case examines the 2023 breach of 23andMe to illustrate how accumulated design debt in a relational genetic platform produced a condition of privacy fragility, enabling the compromise of 14,000 accounts to expose profile data from 6.9 million users. Rather than a traditional security failure, the incident reveals how architectural choices – visibility defaults, optional authentication safeguards, and weak consent mechanisms – can amplify harm across genetically linked networks. The case traces the breach’s escalation, the company’s delayed and defensive response, and the governance and legal challenges that culminated in 23andMe’s 2025 bankruptcy and data transfer to a new corporate entity. Designed for one or two class sessions, the case offers a well-structured teaching case with conceptual scaffolding. It also offers instructors a foundation for discussing platform accountability in data-intensive systems. This case can be used in undergraduate courses in information systems, cybersecurity, or governance to anchor one or two class meetings on architectural trade-offs, privacy risk, digital platforms, and incident response.

Download this article: ISEDJ - V24 N3 Page 16.pdf

Recommended Citation: Yates, D.J., Ream III, A.F., (2026). When One Account Exposes Millions: Design Debt, Relational Exposure, and the 23andMe Breach. Information Systems Education Journal 24(3) pp 16-31. https://doi.org/10.62273/TQZO9281