When 23andMe filed for bankruptcy, it wasn’t just about business. It was about broken trust.
Headlines focused on what millions of people had feared for years: the misuse of deeply personal genetic information. The kind of data that can’t be reissued, reset, or undone.
But how it happened and what it says about our current approach to data protection deserves a closer look.
Because this breach wasn’t about technical wizardry or exotic malware. It happened the way most breaches do: Someone got in and the data was all accessible and usable.
That’s the part we need to talk about.
The Breach Beneath the Breach
The breach on 23andMe started with credential stuffing—an old trick. Hackers reused stolen passwords to access user accounts. From there, they took advantage of a feature designed to connect users through shared DNA.
But what makes this incident stand out is what happened next:
With access to just a few accounts, attackers were able to access sensitive data on millions. Genetic traits. Family relationships. Health indicators.
It wasn’t just an access issue.
It was an exposure issue.
And that’s a distinction more organizations need to understand.
Why Traditional Protections Aren’t Enough
Let’s be clear: endpoint security, access control, and encryption are essential. No system should operate without them.
But breaches still happen. And when they do, the question is no longer "how did they get in?" It’s "what did they find once they were inside?"
Too often, the answer is: everything.
This is the gap that’s costing organizations trust, money, and long-term viability.
Data needs a second line of defense. One that works even when systems are accessed, credentials are compromised, or data needs to flow beyond your security firewall.
And with the growing threat of quantum computing, that second layer must be quantum-resilient. The encryption that protects most systems today won’t survive once quantum decryption becomes feasible. Data harvested today can—and likely will—be decrypted tomorrow.
That’s why Karlsgate has already implemented post-quantum cryptography (PQC) in our solutions. It’s not a theoretical upgrade. It’s a necessary foundation for protecting sensitive data against tomorrow’s threats.
How It Could Have Been Different
Let’s imagine this playing out another way.
The attackers still gain access—maybe through credential reuse, maybe through another method. That part doesn’t change.
But what they find does.
Because in a system architected for layered, future-proof protection, they wouldn’t have found meaningful data. They would have found de-identified and encrypted, unlinkable, unusable fragments. Nothing to sell. Nothing to exploit.
Here’s how Karlsgate would have designed that system:
This isn’t just theoretical. It’s how Karlsgate operates today—in real environments, across industries, at scale.
Third-Party Risk: The Silent Threat
And critically, this approach doesn’t just apply to data inside your own walls.
Even if your internal systems are protected, the moment data leaves your organization, the risk multiplies.
According to KPMG, 73% of organizations have experienced at least one significant disruption caused by a third party within the past three years (KPMG 2022 Third-Party Risk Management Outlook), resulting in the misuse of sensitive or confidential information.
And yet, collaboration with partners is more important than ever—whether it’s for research, marketing, analytics, or AI.
The problem is most organizations still rely on outdated models that require:
That’s not sustainable. And it’s not secure.
Karlsgate’s architecture extends protection beyond the organization’s perimeter.
We create Protected Data Pipelines—pathways that allow data to move between systems and organizations without ever becoming exposed.
With Karlsgate:
And by incorporating post-quantum resilience from the start, we ensure that even long-lived, sensitive data stays protected—not just in today’s workflows, but in the world ahead.
What the 23andMe breach shows us, and what every breach reminds us, is that no system is impenetrable.
But that doesn’t mean data has to be vulnerable.
We’re entering a new phase of data protection. One where:
At Karlsgate, we call this the Protected Data Age.
It’s not a tagline. It’s a call to build differently. To protect differently.
To move beyond reactive defenses, and toward systems designed to make exposure irrelevant.
Because the goal isn’t just to secure infrastructure. It’s to ensure that data remains protected, even as it moves, flows, and powers innovation.
At Karlsgate, we’re building the infrastructure for that future: Protected Data Pipelines that enable collaboration, automation, and analysis without compromise.
For executive leaders concerned about balancing data security with the demand for data across all facets of the business, Karlsgate offers a robust, easy-to-implement solution. Protect your data from risks and breaches while seamlessly accessing it for critical initiatives. Secure and maximize your data's potential with Karlsgate.