Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More
With all seven independent directorsย resigningย fromย 23andMeย last week, the company has become a cautionary tale of why cybersecurity is a business decision for any enterprise first, as there are immediate and lasting impacts to any organization ignoring that.ย Customers arenโt sure how the company plans to strengthen its security and protect their DNA and other confidential personally identifiable information (PII). Enterprises canโt afford to allow security to become a liability.
Multiple large-scale security breaches have jilted existing customersโ confidence and made potential customers think twice about sharing their DNA data with 23andMe.
The independent board members unanimously resigned in response to CEO Anne Wojcickiโs push to take the company private on Sept. 17. The resignation states that they havenโt seen progress on an actionable plan for taking the company private that benefits all shareholders.
The independent directors also cite differences of opinion with Wojcicki on the companyโs future direction and believe itโs best to resign instead of fueling potential internal conflict.
23andMeโs leadership crisis further jeopardizes DNA security ย ย
Itโs rare to see an entire board resign at once. That signals a fundamental disconnect between how the board and senior management see the future of the business. 23andMe canโt afford a disconnect between identity and access management (IAM) and privileged access management (PAM), improving their security infrastructure and ensuring a more robust security posture. Now would be a perfect time to reinvent themselves from a security standpoint, protecting customersโ identities and their DNA data.
DNA data provides the most permanent personal data there is, exposing victims of identity attacks based on the data to a lifetime of potential liability. As Tina Srivastava, co-founder of Badge, told VentureBeat in a recent interview, โWith 23andMe and DNA, you canโt reset it, you canโt change it if itโs compromised. Itโs like a one-and-done situation. Itโs not revocable. What Badge does is that we eliminate the storage of biometric data.โ
David Aronchick, CEO of Expanso told VentureBeat that โone of the fundamental challenges for 23andMe is that while they possess an enormous amount of sensitive genetic data, they may not be fully equipped to extract its maximum value internally, especially without extensive research facilities.โ Aronchick added that โtraditionally, sharing this data with external parties has involved allowing downloads and trusting third parties to handle it responsiblyโa method fraught with security risks โ especially because the only way to enforce good behavior of the data is legally and with deep audits.โ He said 23andMeย would struggle with the scale the solution approach would require.
Merritt Baer, CISO at Reco told VentureBeat in a recent interview, โIdentity security isnโt just a technical issue, itโs a fundamental component of corporate trust between a company and its users. When executive leadership is in flux, the entire organization is exposed to questions around how an entity will enforce both the strategic and the tactical behaviors that customers need to seeโ.
Financial instability is amplifying security concerns
For its first quarter of fiscal year 2025 (FY25), which ended Juneย 30, 2024, 23andMe reported a 34% year-over-year revenue decline, dropping from $61 million to $40 million. The steep decline was influenced by the termination of its partnership with GSK and a drop in personal genetic services (PGS) sales.
Despite some improvement in adjusted EBITDA, the companyโs net losses were still significant at $69 million for the quarter. Their struggling research business contributes to a multimillion-dollar loss, known for being exceptionally expensive yet failing to deliver substantial revenue, as their quarterly results show.
CNN reports that last month, 23andMe shuttered its internal drug research group.
With only $170 million in cash left, 23andMe faces a significant cash burn. It will need to raise additional funds and consider an acquisition or an investment from private equity firms pursuing healthcare. The Wall Street Journal recently wrote, โ23andMe has never made a profit and is burning cash so quickly it could run out next year.โ 23andMe also announced a telehealth platform, Lemonaid, selling weekly injections of compounded semaglutide, the active ingredient in Wegovy and Ozempic, through a new subscription product in an attempt to capitalize on the popularity of GLP-1 medications for weight loss, according to the WSJ.
Private equity firms are known for the depth of their due diligence before investing in or acquiring companies, often drilling down into the security infrastructure and tech stack. Given 23andMeโs distressed financial state, chances are itโs already on the acquisition radar of private equity firms.
Their ongoing security vulnerabilities may further reduce the companyโs valuation, making it more attractive to private equity firms looking for distressed assets. Any future breaches would likely compound the companyโs financial instability and purchase price.
23andMeโs new board needs to include at least one CISO from healthcare who knows how to protect healthcare data and is familiar with the many compliance requirements and laws in that industry.
Baer remarked on the core challenges facing 23andMeโs board from a CISO perspective. โThe board should be an accountability mechanism for the companyโ not just when it is convenient. The entire value proposition of 23andMe resides in the idea that folks will buy a genetic testing kit, but that was a questionable hypothesis (what happens after you buy it once? Your genes donโt change). Now itโs a questionable proposition because it relies on a presumption of trustโone that feels unreliable.โ
23andMe is an appealing private equity buy
Despite its challenges, 23andMeโs massive base of genetic data based on over 12 million kits being sold combined with the work itโs been doing with healthcare professionals, medical researchers and the scientific community make it an appealing target for private equity firms.
The companyโs current market capitalization is $170 million, with an enterprise value of approximately $69 million. Private equity firms with substantial investments in healthcare technology and services providers include Blackstone who recently acquired Ancestry, KKR and TPG. Each of these firms and others potentially see the companyโs condition and challenges as an opportunity to acquire 23andMe at a discount.
The sale of 23andMe to an offshore private equity firm would raise significant concerns about U.S. citizensโ genetic data security. When VentureBeat asked industry leaders, including Srivastava for their perspective on a foreign buyer acquiring 23andMe, she said, โAnd I hope that given the national security implications of this, we donโt allow this to be given over, like you said to foreign parties that donโt respect the privacy of Americans.โ
Eric Chien, Fellow, Symantec Threat Hunter Team at Broadcom, stressed the importance of a few things when VentureBeat interviewed him recently. The major one is โknowing who has access to that data and the chain of custody.โ Without these safeguards, 23andMeโs sensitive data could be at risk of exploitation, further complicating any potential sale.
โThis is a fairly unique situation (all of the independent directors resigned), but itโs emblematic of other issues in governance, trust, security and the damage to the company when external and internal folks lose confidence,โ Baer told VentureBeat.
Attackers after DNA data also targeted ethnic groups
In October 2023, 23andMe suffered a significant data breach due to credential stuffing attacks, where hackers used login details obtained from other breaches to access user accounts. The breach compromised the personal and genetic data of nearly 7 million individuals. The information exposed included names, birth years and ancestry data from 5.5 million customers using the โDNA Relativesโ feature and 1.4 million users using the โFamily Treeโ feature.
One of the most alarming breaches of identities ever was the specific targeting of unique demographic groups, including 1 million Ashkenazi Jews and anyone in the 23AndMe data set of Chinese descent. Attackers were quick to leak the breached DNA data on BreachForums and Reddit. Attackers also breached exposed raw genotype data, raising concerns about the potential misuse of genetic information for blackmail, unauthorized genetic research, or employment and insurance discriminationโ.
23andMe delayed telling Ashkenazi Jews and Chinese that their data had been stolen. As a result, in January 2024, the company faced a class-action lawsuit accusing it of failing to protect sensitive genetic data adequately. The lawsuit was settled this month for $30 million, which included compensation for affected customers and commitments to strengthening cybersecurity measures.
โWith great power comes great responsibility. 23andme plays in a space that they knewโ or should have knownโ was extremely sensitive. And they are paying a settlement that responds to a suit specifically related to their failure to exercise enough security protection for the targeted attack against customers with Chinese or Ashkenazi Jewish ancestry,โ Baer told VentureBeat.
Despite the settlement, 23andMe denied wrongdoing but agreed to implement additional security protocols, such as mandatory two-factor authentication and annual cybersecurity audits, to prevent similar incidentsโ.
The company continues to face lawsuits, including one where they attempted to deflect blame by telling users that hackers took advantage of recycled credentials. ย
Where 23andMe needs to start
DNA is by far the most potent form of identity data that exists. 23andMeโs initial efforts at MFA and audits donโt go far enough. However, with adversarial AI challenging MFAโs reliability more and more, the company has to reinvent itself significantly from a security standpoint as it attempts to expand into therapeutics and clinical trials.
Here are five suggestions of where to start:
Audit all access credentials and delete any accounts that arenโt being used now: A comprehensive audit of all access credentials is essential to eliminating โzombie credentials,โ as Ivantiโs CPO, Srinivas Mukkamala told VentureBeat, โLarge organizations often fail to account for the huge ecosystem of apps, platforms and third-party services that grant access well past an employeeโs termination. We call these zombie credentials, and a shockingly large number of security professionals โ and even leadership-level executives โ still have access to former employersโ systems and data.โ Given 23andMeโs history of breaches, this is an excellent place to start.
Thoroughly audit how new accounts are created and start auditing every account with admin privileges. Attackers look to take over the new account creation process first, especially for admin privileges, because that gives them the control surface they need to take over the entire infrastructure. Many of the longest-dwelling breaches happened because attackers could use admin privileges to deactivate entire systemsโ accounts and detection workflows to shut down attempts at discovering their breach.
Passwordless is the future, so start planning for it now. 23andMeโs senior management needs to consider moving away from passwords and adopting a zero-trust approach to identity security. Gartner predicts that by 2025, 50% of the workforce and 20% of customer authentication transactions will be passwordless. Leading passwordless authentication providers include Ivantiโs Zero Sign-On (ZSO) solution, Microsoft Azure Active Directory (Azure AD), OneLogin Workforce Identity, Thales SafeNet Trusted Access and others. Ivantiโs Zero Sign-On (ZSO) solution is among the most versatile solutions, combining passwordless authentication, zero trust and a simplified user experience while supporting biometrics, including Appleโs Face ID.
Verify every machine and human identity before granting access to any resources. One of the core concepts of zero trust is least privileged access. 23andMe needs to enforce it for every machine and human identity before granting access. That means current methods of password authentication and how customers can traverse family trees and DNA Relative structures need to be more hardened against lateral movement.
Get a quick win in microsegmentation by not allowing the implementation to drag on. Microsegmentation is a security strategy to divide networks into smaller, isolated segments. Itโs proven effective in reducing the size and vulnerability of an attack surface, allowing organizations to identify and isolate any suspicious activity on their networks quickly. Microsegmentation is a crucial component of zero trust, as outlined in the NISTโs zero-trust framework.
The path forward
โIn light of the current boardroom issues, establishing robust protocols for data governance is crucial. For instance, in the event of bankruptcy or significant organizational changes, the data could remain protected within a secure vault, accessible only under strict oversight by appointed custodians,โ Aronchick advised VentureBeat.
The challenges facing 23andMe go beyond financial losses and security failures. With leadership in flux and the companyโs future uncertain, it must act swiftly to modernize its IAM infrastructure and secure its data assets.
As their efforts to reinvent themselves from a security standpoint go, so will the success or failure of their efforts to regain investor confidence and prevent further breaches. The consequences of inaction are clear: delays in securing its systems could invite additional cyberattacks, eroding shareholder value and further endangering its financial stability.
source: https://venturebeat.com/security/with-23andmes-directors-quitting-your-data-is-at-risk-time-to-double-down-on-identity-securitywith-23andmes-directors-quitting-your-data-is-at-risk-time-to-double-down-on-identity-security/
