Be a part of our every day and weekly newsletters for the newest updates and unique content material on industry-leading AI protection. Study Extra
With all seven impartial administrators resigning from 23andMe final week, the corporate has develop into a cautionary story of why cybersecurity is a enterprise determination for any enterprise first, as there are speedy and lasting impacts to any group ignoring that. Clients aren’t positive how the corporate plans to strengthen its safety and defend their DNA and different confidential personally identifiable info (PII). Enterprises can’t afford to permit safety to develop into a legal responsibility.
A number of large-scale safety breaches have jilted current clients’ confidence and made potential clients suppose twice about sharing their DNA information with 23andMe.
The impartial board members unanimously resigned in response to CEO Anne Wojcicki’s push to take the corporate non-public on Sept. 17. The resignation states that they haven’t seen progress on an actionable plan for taking the corporate non-public that advantages all shareholders.
The impartial administrators additionally cite variations of opinion with Wojcicki on the corporate’s future route and consider it’s finest to resign as an alternative of fueling potential inside battle.
23andMe’s management disaster additional jeopardizes DNA safety
It’s uncommon to see a whole board resign directly. That alerts a basic disconnect between how the board and senior administration see the way forward for the enterprise. 23andMe can’t afford a disconnect between identification and entry administration (IAM) and privileged entry administration (PAM), bettering their safety infrastructure and guaranteeing a extra sturdy safety posture. Now can be an ideal time to reinvent themselves from a safety standpoint, defending clients’ identities and their DNA information.
DNA information supplies probably the most everlasting private information there may be, exposing victims of identification assaults primarily based on the information to a lifetime of potential legal responsibility. As Tina Srivastava, co-founder of Badge, instructed VentureBeat in a current interview, “With 23andMe and DNA, you’ll be able to’t reset it, you’ll be able to’t change it if it’s compromised. It’s like a one-and-done scenario. It’s not revocable. What Badge does is that we remove the storage of biometric information.”
David Aronchick, CEO of Expanso instructed VentureBeat that “one of many basic challenges for 23andMe is that whereas they possess an infinite quantity of delicate genetic information, they will not be totally geared up to extract its most worth internally, particularly with out in depth analysis amenities.” Aronchick added that “historically, sharing this information with exterior events has concerned permitting downloads and trusting third events to deal with it responsibly—a way fraught with safety dangers – particularly as a result of the one technique to implement good habits of the information is legally and with deep audits.” He mentioned 23andMe would wrestle with the size the answer method would require.
Merritt Baer, CISO at Reco instructed VentureBeat in a current interview, “Identification safety isn’t only a technical situation, it’s a basic element of company belief between an organization and its customers. When government management is in flux, the complete group is uncovered to questions round how an entity will implement each the strategic and the tactical behaviors that clients must see”.
Monetary instability is amplifying safety considerations
For its first quarter of fiscal 12 months 2025 (FY25), which ended June 30, 2024, 23andMe reported a 34% year-over-year income decline, dropping from $61 million to $40 million. The steep decline was influenced by the termination of its partnership with GSK and a drop in private genetic providers (PGS) gross sales.
Regardless of some enchancment in adjusted EBITDA, the corporate’s web losses had been nonetheless important at $69 million for the quarter. Their struggling analysis enterprise contributes to a multimillion-dollar loss, identified for being exceptionally costly but failing to ship substantial income, as their quarterly outcomes present.
CNN studies that final month, 23andMe shuttered its inside drug analysis group.
With solely $170 million in money left, 23andMe faces a big money burn. It might want to elevate extra funds and think about an acquisition or an funding from non-public fairness corporations pursuing healthcare. The Wall Avenue Journal just lately wrote, “23andMe has by no means made a revenue and is burning money so shortly it might run out subsequent 12 months.” 23andMe additionally introduced a telehealth platform, Lemonaid, promoting weekly injections of compounded semaglutide, the lively ingredient in Wegovy and Ozempic, via a brand new subscription product in an try and capitalize on the recognition of GLP-1 drugs for weight reduction, based on the WSJ.
Personal fairness corporations are identified for the depth of their due diligence earlier than investing in or buying corporations, usually drilling down into the safety infrastructure and tech stack. Given 23andMe’s distressed monetary state, likelihood is it’s already on the acquisition radar of personal fairness corporations.
Their ongoing safety vulnerabilities could additional scale back the corporate’s valuation, making it extra enticing to non-public fairness corporations in search of distressed property. Any future breaches would seemingly compound the corporate’s monetary instability and buy worth.
23andMe’s new board wants to incorporate at the very least one CISO from healthcare who is aware of how you can defend healthcare information and is aware of the numerous compliance necessities and legal guidelines in that {industry}.
Baer remarked on the core challenges going through 23andMe’s board from a CISO perspective. “The board must be an accountability mechanism for the corporate— not simply when it’s handy. Your entire worth proposition of 23andMe resides in the concept people will purchase a genetic testing equipment, however that was a questionable speculation (what occurs after you purchase it as soon as? Your genes don’t change). Now it’s a questionable proposition as a result of it depends on a presumption of belief—one which feels unreliable.”
23andMe is an interesting non-public fairness purchase
Regardless of its challenges, 23andMe’s large base of genetic information primarily based on over 12 million kits being bought mixed with the work it’s been doing with healthcare professionals, medical researchers and the scientific neighborhood make it an interesting goal for personal fairness corporations.
The corporate’s present market capitalization is $170 million, with an enterprise worth of roughly $69 million. Personal fairness corporations with substantial investments in healthcare expertise and providers suppliers embody Blackstone who just lately acquired Ancestry, KKR and TPG. Every of those corporations and others doubtlessly see the corporate’s situation and challenges as a possibility to amass 23andMe at a reduction.
The sale of 23andMe to an offshore non-public fairness agency would elevate important considerations about U.S. residents’ genetic information safety. When VentureBeat requested {industry} leaders, together with Srivastava for his or her perspective on a overseas purchaser buying 23andMe, she mentioned, “And I hope that given the nationwide safety implications of this, we don’t enable this to be given over, such as you mentioned to overseas events that don’t respect the privateness of People.”
Eric Chien, director at Symantec Enterprise Division at Broadcom, confused the significance of some issues when VentureBeat interviewed him just lately. The main one is “understanding who has entry to that information and the chain of custody.” With out these safeguards, 23andMe’s delicate information might be liable to exploitation, additional complicating any potential sale.
“It is a pretty distinctive scenario (the entire impartial administrators resigned), however it’s emblematic of different points in governance, belief, safety and the injury to the corporate when exterior and inside people lose confidence,” Baer instructed VentureBeat.
Attackers after DNA information additionally focused ethnic teams
In October 2023, 23andMe suffered a big information breach on account of credential stuffing assaults, the place hackers used login particulars obtained from different breaches to entry consumer accounts. The breach compromised the non-public and genetic information of almost 7 million people. The data uncovered included names, beginning years and ancestry information from 5.5 million clients utilizing the “DNA Family” characteristic and 1.4 million customers utilizing the “Household Tree” characteristic.
One of the vital alarming breaches of identities ever was the particular focusing on of distinctive demographic teams, together with 1 million Ashkenazi Jews and anybody within the 23AndMe information set of Chinese language descent. Attackers had been fast to leak the breached DNA information on BreachForums and Reddit. Attackers additionally breached uncovered uncooked genotype information, elevating considerations in regards to the potential misuse of genetic info for blackmail, unauthorized genetic analysis, or employment and insurance coverage discrimination.
23andMe delayed telling Ashkenazi Jews and Chinese language that their information had been stolen. In consequence, in January 2024, the corporate confronted a class-action lawsuit accusing it of failing to guard delicate genetic information adequately. The lawsuit was settled this month for $30 million, which included compensation for affected clients and commitments to strengthening cybersecurity measures.
“With nice energy comes nice accountability. 23andme performs in an area that they knew— or ought to have identified— was extraordinarily delicate. And they’re paying a settlement that responds to a swimsuit particularly associated to their failure to train sufficient safety safety for the focused assault towards clients with Chinese language or Ashkenazi Jewish ancestry,” Baer instructed VentureBeat.
Regardless of the settlement, 23andMe denied wrongdoing however agreed to implement extra safety protocols, similar to obligatory two-factor authentication and annual cybersecurity audits, to stop related incidents.
The corporate continues to face lawsuits, together with one the place they tried to deflect blame by telling customers that hackers took benefit of recycled credentials.
The place 23andMe wants to start out
DNA is by far probably the most potent type of identification information that exists. 23andMe’s preliminary efforts at MFA and audits don’t go far sufficient. Nonetheless, with adversarial AI difficult MFA’s reliability increasingly more, the corporate has to reinvent itself considerably from a safety standpoint because it makes an attempt to increase into therapeutics and medical trials.
Listed below are 5 strategies of the place to start out:
Audit all entry credentials and delete any accounts that aren’t getting used now: A complete audit of all entry credentials is crucial to eliminating “zombie credentials,” as Ivanti’s CPO, Srinivas Mukkamala instructed VentureBeat, “Massive organizations usually fail to account for the massive ecosystem of apps, platforms and third-party providers that grant entry effectively previous an worker’s termination. We name these zombie credentials, and an incredibly massive variety of safety professionals — and even leadership-level executives — nonetheless have entry to former employers’ methods and information.” Given 23andMe’s historical past of breaches, this is a wonderful place to start out.
Completely audit how new accounts are created and begin auditing each account with admin privileges. Attackers look to take over the brand new account creation course of first, particularly for admin privileges, as a result of that offers them the management floor they should take over the complete infrastructure. Lots of the longest-dwelling breaches occurred as a result of attackers might use admin privileges to deactivate complete methods’ accounts and detection workflows to close down makes an attempt at discovering their breach.
Passwordless is the long run, so begin planning for it now. 23andMe’s senior administration wants to contemplate shifting away from passwords and adopting a zero-trust method to identification safety. Gartner predicts that by 2025, 50% of the workforce and 20% of buyer authentication transactions will probably be passwordless. Main passwordless authentication suppliers embody Ivanti’s Zero Signal-On (ZSO) resolution, Microsoft Azure Lively Listing (Azure AD), OneLogin Workforce Identification, Thales SafeNet Trusted Entry and others. Ivanti’s Zero Signal-On (ZSO) resolution is among the many most versatile options, combining passwordless authentication, zero belief and a simplified consumer expertise whereas supporting biometrics, together with Apple’s Face ID.
Confirm each machine and human identification earlier than granting entry to any sources. One of many core ideas of zero belief is least privileged entry. 23andMe must implement it for each machine and human identification earlier than granting entry. Meaning present strategies of password authentication and the way clients can traverse household bushes and DNA Relative buildings have to be extra hardened towards lateral motion.
Get a fast win in microsegmentation by not permitting the implementation to tug on. Microsegmentation is a safety technique to divide networks into smaller, remoted segments. It’s confirmed efficient in lowering the dimensions and vulnerability of an assault floor, permitting organizations to establish and isolate any suspicious exercise on their networks shortly. Microsegmentation is an important element of zero belief, as outlined within the NIST’s zero-trust framework.
The trail ahead
“In mild of the present boardroom points, establishing sturdy protocols for information governance is essential. As an example, within the occasion of chapter or important organizational adjustments, the information might stay protected inside a safe vault, accessible solely beneath strict oversight by appointed custodians,” Aronchick suggested VentureBeat.
The challenges going through 23andMe transcend monetary losses and safety failures. With management in flux and the corporate’s future unsure, it should act swiftly to modernize its IAM infrastructure and safe its information property.
As their efforts to reinvent themselves from a safety standpoint go, so will the success or failure of their efforts to regain investor confidence and forestall additional breaches. The implications of inaction are clear: delays in securing its methods might invite extra cyberattacks, eroding shareholder worth and additional endangering its monetary stability.
