With 23andMe’s Directors Quitting, Your Data is at Risk

With all seven independent directors resigning from 23andMe last week, the company has become a cautionary tale of why cybersecurity is a business decision for any enterprise first, as there are immediate and lasting impacts to any organization ignoring that.  Customers aren’t sure how the company plans to strengthen its security and protect their DNA and other confidential personally identifiable information (PII). Enterprises can’t afford to allow security to become a liability.

Multiple large-scale security breaches have jilted existing customers’ confidence and made potential customers think twice about sharing their DNA data with 23andMe.

The independent board members unanimously resigned in response to CEO Anne Wojcicki’s push to take the company private on Sept. 17. The resignation states that they haven’t seen progress on an actionable plan for taking the company private that benefits all shareholders.

The independent directors also cite differences of opinion with Wojcicki on the company’s future direction and believe it’s best to resign instead of fueling potential internal conflict.

23andMe’s leadership crisis further jeopardizes DNA security   

It’s rare to see an entire board resign at once. That signals a fundamental disconnect between how the board and senior management see the future of the business. 23andMe can’t afford a disconnect between identity and access management (IAM) and privileged access management (PAM), improving their security infrastructure and ensuring a more robust security posture. Now would be a perfect time to reinvent themselves from a security standpoint, protecting customers’ identities and their DNA data.

DNA data provides the most permanent personal data there is, exposing victims of identity attacks based on the data to a lifetime of potential liability. As Tina Srivastava, co-founder of Badge, told VentureBeat in a recent interview, “With 23andMe and DNA, you can’t reset it, you can’t change it if it’s compromised. It’s like a one-and-done situation. It’s not revocable. What Badge does is that we eliminate the storage of biometric data.”

David Aronchick, CEO of Expanso told VentureBeat that “one of the fundamental challenges for 23andMe is that while they possess an enormous amount of sensitive genetic data, they may not be fully equipped to extract its maximum value internally, especially without extensive research facilities.” Aronchick added that “traditionally, sharing this data with external parties has involved allowing downloads and trusting third parties to handle it responsibly—a method fraught with security risks – especially because the only way to enforce good behavior of the data is legally and with deep audits.” He said 23andMe would struggle with the scale the solution approach would require.

Merritt Baer, CISO at Reco told VentureBeat in a recent interview, “Identity security isn’t just a technical issue, it’s a fundamental component of corporate trust between a company and its users. When executive leadership is in flux, the entire organization is exposed to questions around how an entity will enforce both the strategic and the tactical behaviors that customers need to see”.

Financial instability is amplifying security concerns

For its first quarter of fiscal year 2025 (FY25), which ended June 30, 2024, 23andMe reported a 34% year-over-year revenue decline, dropping from $61 million to $40 million. The steep decline was influenced by the termination of its partnership with GSK and a drop in personal genetic services (PGS) sales.

Despite some improvement in adjusted EBITDA, the company’s net losses were still significant at $69 million for the quarter. Their struggling research business contributes to a multimillion-dollar loss, known for being exceptionally expensive yet failing to deliver substantial revenue, as their quarterly results show.

CNN reports that last month, 23andMe shuttered its internal drug research group.

With only $170 million in cash left, 23andMe faces a significant cash burn. It will need to raise additional funds and consider an acquisition or an investment from private equity firms pursuing healthcare. The Wall Street Journal recently wrote, “23andMe has never made a profit and is burning cash so quickly it could run out next year.” 23andMe also announced a telehealth platform, Lemonaid, selling weekly injections of compounded semaglutide, the active ingredient in Wegovy and Ozempic, through a new subscription product in an attempt to capitalize on the popularity of GLP-1 medications for weight loss, according to the WSJ.

Private equity firms are known for the depth of their due diligence before investing in or acquiring companies, often drilling down into the security infrastructure and tech stack. Given 23andMe’s distressed financial state, chances are it’s already on the acquisition radar of private equity firms.

Their ongoing security vulnerabilities may further reduce the company’s valuation, making it more attractive to private equity firms looking for distressed assets. Any future breaches would likely compound the company’s financial instability and purchase price.

23andMe’s new board needs to include at least one CISO from healthcare who knows how to protect healthcare data and is familiar with the many compliance requirements and laws in that industry.

Baer remarked on the core challenges facing 23andMe’s board from a CISO perspective. “The board should be an accountability mechanism for the company— not just when it is convenient. The entire value proposition of 23andMe resides in the idea that folks will buy a genetic testing kit, but that was a questionable hypothesis (what happens after you buy it once? Your genes don’t change). Now it’s a questionable proposition because it relies on a presumption of trust—one that feels unreliable.”

23andMe is an appealing private equity buy

Despite its challenges, 23andMe’s massive base of genetic data based on over 12 million kits being sold combined with the work it’s been doing with healthcare professionals, medical researchers and the scientific community make it an appealing target for private equity firms.

The company’s current market capitalization is $170 million, with an enterprise value of approximately $69 million. Private equity firms with substantial investments in healthcare technology and services providers include Blackstone who recently acquired Ancestry, KKR and TPG. Each of these firms and others potentially see the company’s condition and challenges as an opportunity to acquire 23andMe at a discount.

The sale of 23andMe to an offshore private equity firm would raise significant concerns about U.S. citizens’ genetic data security. When VentureBeat asked industry leaders, including Srivastava for their perspective on a foreign buyer acquiring 23andMe, she said, “And I hope that given the national security implications of this, we don’t allow this to be given over, like you said to foreign parties that don’t respect the privacy of Americans.”

Eric Chien, director at Symantec Enterprise Division at Broadcom, stressed the importance of a few things when VentureBeat interviewed him recently. The major one is “knowing who has access to that data and the chain of custody.” Without these safeguards, 23andMe’s sensitive data could be at risk of exploitation, further complicating any potential sale.

“This is a fairly unique situation (all of the independent directors resigned), but it’s emblematic of other issues in governance, trust, security and the damage to the company when external and internal folks lose confidence,” Baer told VentureBeat.

23andMe is an appealing private equity buy

In October 2023, 23andMe suffered a significant data breach due to credential stuffing attacks, where hackers used login details obtained from other breaches to access user accounts. The breach compromised the personal and genetic data of nearly 7 million individuals. The information exposed included names, birth years and ancestry data from 5.5 million customers using the “DNA Relatives” feature and 1.4 million users using the “Family Tree” feature.

One of the most alarming breaches of identities ever was the specific targeting of unique demographic groups, including 1 million Ashkenazi Jews and anyone in the 23AndMe data set of Chinese descent. Attackers were quick to leak the breached DNA data on BreachForums and Reddit. Attackers also breached exposed raw genotype data, raising concerns about the potential misuse of genetic information for blackmail, unauthorized genetic research, or employment and insurance discrimination​.

23andMe delayed telling Ashkenazi Jews and Chinese that their data had been stolen. As a result, in January 2024, the company faced a class-action lawsuit accusing it of failing to protect sensitive genetic data adequately. The lawsuit was settled this month for $30 million, which included compensation for affected customers and commitments to strengthening cybersecurity measures.

“With great power comes great responsibility. 23andme plays in a space that they knew— or should have known— was extremely sensitive. And they are paying a settlement that responds to a suit specifically related to their failure to exercise enough security protection for the targeted attack against customers with Chinese or Ashkenazi Jewish ancestry,” Baer told VentureBeat.

Despite the settlement, 23andMe denied wrongdoing but agreed to implement additional security protocols, such as mandatory two-factor authentication and annual cybersecurity audits, to prevent similar incidents​.

The company continues to face lawsuits, including one where they attempted to deflect blame by telling users that hackers took advantage of recycled credentials.  

Where 23andMe needs to start

DNA is by far the most potent form of identity data that exists. 23andMe’s initial efforts at MFA and audits don’t go far enough. However, with adversarial AI challenging MFA’s reliability more and more, the company has to reinvent itself significantly from a security standpoint as it attempts to expand into therapeutics and clinical trials.

Here are five suggestions of where to start:

Audit all access credentials and delete any accounts that aren’t being used now: A comprehensive audit of all access credentials is essential to eliminating “zombie credentials,” as Ivanti’s CPO, Srinivas Mukkamala told VentureBeat, “Large organizations often fail to account for the huge ecosystem of apps, platforms and third-party services that grant access well past an employee’s termination. We call these zombie credentials, and a shockingly large number of security professionals — and even leadership-level executives — still have access to former employers’ systems and data.” Given 23andMe’s history of breaches, this is an excellent place to start.

Thoroughly audit how new accounts are created and start auditing every account with admin privileges. Attackers look to take over the new account creation process first, especially for admin privileges, because that gives them the control surface they need to take over the entire infrastructure. Many of the longest-dwelling breaches happened because attackers could use admin privileges to deactivate entire systems’ accounts and detection workflows to shut down attempts at discovering their breach.

Passwordless is the future, so start planning for it now. 23andMe’s senior management needs to consider moving away from passwords and adopting a zero-trust approach to identity security. Gartner predicts that by 2025, 50% of the workforce and 20% of customer authentication transactions will be passwordless. Leading passwordless authentication providers include Ivanti’s Zero Sign-On (ZSO) solution, Microsoft Azure Active Directory (Azure AD), OneLogin Workforce Identity, Thales SafeNet Trusted Access and others. Ivanti’s Zero Sign-On (ZSO) solution is among the most versatile solutions, combining passwordless authentication, zero trust and a simplified user experience while supporting biometrics, including Apple’s Face ID.

Verify every machine and human identity before granting access to any resources. One of the core concepts of zero trust is least privileged access. 23andMe needs to enforce it for every machine and human identity before granting access. That means current methods of password authentication and how customers can traverse family trees and DNA Relative structures need to be more hardened against lateral movement.

Get a quick win in microsegmentation by not allowing the implementation to drag on. Microsegmentation is a security strategy to divide networks into smaller, isolated segments. It’s proven effective in reducing the size and vulnerability of an attack surface, allowing organizations to identify and isolate any suspicious activity on their networks quickly. Microsegmentation is a crucial component of zero trust, as outlined in the NIST’s zero-trust framework.

The path forward

“In light of the current boardroom issues, establishing robust protocols for data governance is crucial. For instance, in the event of bankruptcy or significant organizational changes, the data could remain protected within a secure vault, accessible only under strict oversight by appointed custodians,” Aronchick advised VentureBeat.

The challenges facing 23andMe go beyond financial losses and security failures. With leadership in flux and the company’s future uncertain, it must act swiftly to modernize its IAM infrastructure and secure its data assets.

As their efforts to reinvent themselves from a security standpoint go, so will the success or failure of their efforts to regain investor confidence and prevent further breaches. The consequences of inaction are clear: delays in securing its systems could invite additional cyberattacks, eroding shareholder value and further endangering its financial stability.