With the recent resignation of all seven independent directors from 23andMe, the company serves as a cautionary example of the critical importance of cybersecurity as a core business decision. Customers remain uncertain about how 23andMe plans to enhance its security measures to protect sensitive DNA and personally identifiable information (PII). Ignoring cybersecurity can turn into a significant liability for any enterprise.
Numerous large-scale security breaches have undermined the confidence of existing customers and led potential clients to hesitate before sharing their genetic data with the company.
Responding to CEO Anne Wojcicki’s plan to take the company private, the independent board members resigned unanimously, expressing concerns over a lack of progress on a comprehensive plan that would benefit all shareholders. They cited differences in perspective regarding the company’s direction and opted to step down to avoid internal conflicts.
A Leadership Crisis Impacting Security at 23andMe
A mass resignation of a board is unusual and indicates a profound disconnect between management and governance. This disconnect highlights the urgent need for 23andMe to integrate identity management solutions, such as identity and access management (IAM) and privileged access management (PAM), to bolster its cybersecurity framework. The current circumstances present an opportunity for the organization to pivot strategically, prioritizing the protection of customer identities and DNA data.
DNA data is exceptionally sensitive; compromised genetic information can expose victims to lifelong vulnerabilities. As Tina Srivastava, co-founder of Badge, recently pointed out, “Once DNA data is compromised, it cannot be reset or changed. It presents an irreversible risk.”
David Aronchick, CEO of Expanso, noted that 23andMe holds vast amounts of sensitive genetic data but may lack the capability to derive its full value internally, especially without extensive research resources. He emphasized that sharing sensitive data with external parties poses significant security risks, as it often involves trusting third parties to manage the data responsibly.
Merritt Baer, CISO at Reco, stressed, “Identity security transcends technical issues; it's essential for maintaining corporate trust with users. Instability within executive leadership creates a risk for the entire organization, especially concerning strategy and tactical execution necessary for customer assurance.”
Financial Struggles Intensifying Security Concerns
In its first quarter of fiscal year 2025 (FY25), ending June 30, 2024, 23andMe reported a staggering 34% revenue decline, plummeting from $61 million to $40 million, primarily due to the termination of its partnership with GSK and a slump in personal genetic services (PGS) sales. Despite slight improvements in adjusted EBITDA, the company faced substantial net losses totaling $69 million for that quarter, a result of a costly research division that has failed to yield significant returns.
According to CNN, 23andMe recently dissolved its internal drug research team. With only $170 million in cash remaining, the company is under pressure to secure additional funding, potentially seeking acquisition or investment from private equity firms targeting the healthcare market. The Wall Street Journal noted the urgent financial predicament, stating, “23andMe has never turned a profit and is burning cash at an alarming rate.”
Private equity firms typically conduct thorough due diligence before investing, often scrutinizing security infrastructure. Given 23andMe’s dire financial status, it may already be attracting the attention of these investment firms. Ongoing security vulnerabilities could further diminish the company’s valuation, making it appealing to private equity looking for distressed assets.
Moving forward, 23andMe’s new board should include at least one CISO with healthcare expertise, well-versed in protecting healthcare data and complying with industry laws. Baer pointed out, “The board must hold the company accountable. The allure of genetic testing relies heavily on customer trust—trust that now appears questionable.”
23andMe: An Attractive Acquisition Target
Despite its challenges, 23andMe boasts a vast genetic database stemming from over 12 million kits sold and its collaborations with healthcare professionals and researchers, making it attractive to private equity firms. The company’s market capitalization stands at around $170 million, with approximately $69 million in enterprise value. Major private equity firms like Blackstone, KKR, and TPG may see the company’s current state as a chance to acquire 23andMe at a discount.
However, selling 23andMe to an offshore private equity firm could raise serious concerns about the security of U.S. citizens' genetic data. Srivastava voiced apprehensions about the national security implications, suggesting that sensitive personal data should not fall into the hands of foreign entities that may not prioritize American privacy.
Eric Chien, from Broadcom's Symantec Threat Hunter Team, highlighted the necessity of safeguarding data access and maintaining a chain of custody. “Without proper oversight, 23andMe’s sensitive data is at risk of exploitation, complicating any potential sale.”
Reflecting on the unusual mass resignation of independent directors, Baer observed, “This situation symbolizes broader issues regarding governance, trust, and security, which significantly impact the company’s reputation.”
Targeted Attacks on DNA Data
In October 2023, 23andMe experienced a severe data breach due to credential stuffing attacks, compromising the personal and genetic information of nearly 7 million users, including names, birth years, and ancestry data from various features. Alarmingly, attackers specifically targeted unique demographic groups, including 1 million Ashkenazi Jews and individuals of Chinese descent, leading to leaked data across various forums. The breach raised concerns over potential genetic data misuse, including blackmail and discrimination.
23andMe was criticized for delaying notifications to affected populations, culminating in a class-action lawsuit that resulted in a $30 million settlement for inadequate data protection. Although the company denied wrongdoing, it committed to enhancing its cybersecurity measures, including implementing mandatory two-factor authentication and annual audits.
Where 23andMe Must Begin to Improve
Given DNA's sensitivity, 23andMe's minimal efforts in multi-factor authentication (MFA) and security audits are insufficient. The company needs to undertake substantial security transformations, especially as it seeks to expand into therapeutics and clinical trials. Here are five essential steps to start:
1. Conduct an Access Credential Audit: Undertake a thorough audit of all access credentials and eliminate inactive accounts to address “zombie credentials,” which could expose vulnerabilities.
2. Enhance Account Creation Processes: Rigorously audit how new accounts are generated and scrutinize admin privileges to prevent unauthorized access that can compromise system integrity.
3. Move Towards Passwordless Solutions: Shift towards a passwordless identity security framework. Leading solutions like Ivanti’s Zero Sign-On, Microsoft Azure Active Directory, and others can facilitate this shift.
4. Implement Strict Access Controls: Enforce zero-trust principles by verifying the identity of every user and machine before granting access to any resource, minimizing the risk of lateral movements.
5. Prioritize Quick Wins in Microsegmentation: Adopt microsegmentation strategies to reduce attack surface vulnerabilities, enabling swift identification and isolation of suspicious activities within networks.
The Path Forward
In light of ongoing challenges, it’s imperative for 23andMe to establish robust data governance protocols. In case of financial distress or significant organizational changes, data should be securely protected, monitored closely by designated custodians.
23andMe faces hurdles that extend beyond financial woes and security lapses. With leadership uncertainties clouding its future, the company must rapidly modernize its identity and access management infrastructure to safeguard its data assets. The effectiveness of these security transformations will be crucial in regaining investor confidence and preventing future breaches. The risks of inaction are evident: delays in securing systems may lead to further cyberattacks, diminishing shareholder value and threatening financial stability.
Ranking
