Stay updated with the latest news and exclusive content on AI by subscribing to our daily and weekly newsletters. Learn more
Recently, all seven independent directors of 23andMe resigned, shedding light on the critical importance of cybersecurity as a foundational business decision. The company’s failure to address cybersecurity concerns has raised doubts among customers regarding the safety of their DNA and other sensitive personal information. Neglecting cybersecurity can have immediate and lasting repercussions for any organization.
Several significant security breaches have shaken the confidence of existing customers and deterred potential customers from sharing their DNA data with 23andMe. The lack of a clear plan to enhance security measures has left customers uncertain about the company’s commitment to safeguarding their data.
The unanimous resignation of the independent board members was triggered by CEO Anne Wojcicki’s proposal to take the company private. The board members expressed concerns about the lack of progress towards a beneficial privatization plan for all shareholders. Additionally, differences in opinions regarding the company’s future direction led to the board members’ decision to step down to avoid internal conflicts.
23andMe’s leadership crisis further jeopardizes DNA security
The mass resignation of the entire board indicates a significant disconnect between the board and senior management regarding the company’s future. 23andMe must bridge the gap between Identity and Access Management (IAM) and Privileged Access Management (PAM) to enhance its security infrastructure and establish a robust security posture. This period presents an opportunity for the company to reevaluate its security measures to protect customer identities and DNA data effectively.
DNA data represents one of the most permanent forms of personal information, making individuals vulnerable to identity attacks if compromised. The inability to reset or change compromised DNA data underscores the critical need for heightened security measures. Experts emphasize the importance of eliminating the storage of biometric data to prevent potential security breaches.
David Aronchick, CEO of Expanso, highlighted the challenges faced by 23andMe in leveraging sensitive genetic data without adequate research facilities. Sharing such data with external parties introduces security risks that can only be mitigated through legal enforcement and stringent audits. The company’s struggle to manage the scale of data sharing poses a significant security challenge.
Merritt Baer, CISO at Reco, emphasized that identity security is not just a technical concern but a fundamental element of building trust between a company and its users. The instability in executive leadership exposes the organization to uncertainties regarding the enforcement of strategic and tactical behaviors expected by customers.
Financial instability is amplifying security concerns
23andMe reported a significant 34% year-over-year revenue decline for the first quarter of fiscal year 2025, primarily attributed to the termination of partnerships and a decrease in sales. Despite some improvements in adjusted EBITDA, the company still incurred substantial net losses for the quarter. The closure of the internal drug research group and financial challenges indicate a pressing need for strategic financial decisions to sustain the company’s operations.
The company’s dwindling cash reserves and ongoing cash burn necessitate the exploration of additional funding sources, including potential acquisitions or investments from private equity firms specializing in healthcare. Private equity firms conduct thorough due diligence on security infrastructure and technology stacks before investing in distressed assets like 23andMe.
23andMe’s security vulnerabilities pose a risk to the company’s valuation and attractiveness to potential acquirers. Any future breaches could exacerbate the company’s financial instability and impact its purchase price. The appointment of a CISO with healthcare expertise is essential to bolstering data protection and compliance efforts.
23andMe is an appealing private equity buy
Despite its challenges, 23andMe’s extensive genetic database and collaborations with healthcare professionals make it an attractive target for private equity firms. The company’s current market capitalization and enterprise value present an opportunity for strategic acquisitions by firms with a focus on healthcare technology and services.
The potential sale of 23andMe to a foreign private equity firm raises concerns about the security of U.S. citizens’ genetic data. Industry experts caution against compromising data privacy and security by allowing foreign entities access to sensitive genetic information.
Implementing stringent access controls and maintaining a clear chain of custody for data are essential to safeguarding genetic information. Robust data governance protocols can protect sensitive data during organizational changes or financial instability.
Attackers after DNA data also targeted ethnic groups
23andMe experienced a significant data breach in October 2023 due to credential stuffing attacks, compromising the personal and genetic data of millions of individuals. The breach targeted specific demographic groups, including Ashkenazi Jews and individuals of Chinese descent, raising concerns about the misuse of genetic information for illicit purposes.
The delayed notification of affected individuals and subsequent class-action lawsuit underscored the company’s failure to adequately protect sensitive genetic data. To enhance security measures, 23andMe agreed to implement additional protocols such as mandatory two-factor authentication and cybersecurity audits.
Continued legal challenges and attempts to deflect blame highlight the company’s accountability in safeguarding genetic data. Strengthening security measures and addressing vulnerabilities are crucial steps to prevent future breaches and protect customer data.
Where 23andMe needs to start
23andMe must prioritize auditing access credentials, enhancing account creation processes, and transitioning to passwordless authentication to bolster security measures. Implementing least privileged access and microsegmentation strategies can minimize the risk of unauthorized access and data breaches.
The path forward
Establishing robust data governance protocols, modernizing IAM infrastructure, and securing data assets are critical steps for 23andMe to navigate its current challenges successfully. By prioritizing security enhancements and regaining investor confidence, the company can mitigate cybersecurity risks and safeguard its financial stability.