Be a part of our day by day and weekly newsletters for the most recent updates and unique content material on industry-leading AI protection. Be taught Extra
With all seven impartial administrators resigning from 23andMe final week, the corporate has turn out to be a cautionary story of why cybersecurity is a enterprise choice for any enterprise first, as there are speedy and lasting impacts to any group ignoring that. Prospects aren’t certain how the corporate plans to strengthen its safety and defend their DNA and different confidential personally identifiable data (PII). Enterprises can’t afford to permit safety to turn out to be a legal responsibility.
A number of large-scale safety breaches have jilted current clients’ confidence and made potential clients suppose twice about sharing their DNA knowledge with 23andMe.
The impartial board members unanimously resigned in response to CEO Anne Wojcicki’s push to take the corporate personal on Sept. 17. The resignation states that they haven’t seen progress on an actionable plan for taking the corporate personal that advantages all shareholders.
The impartial administrators additionally cite variations of opinion with Wojcicki on the corporate’s future route and consider it’s finest to resign as a substitute of fueling potential inside battle.
23andMe’s management disaster additional jeopardizes DNA safety
It’s uncommon to see a whole board resign directly. That indicators a basic disconnect between how the board and senior administration see the way forward for the enterprise. 23andMe can’t afford a disconnect between id and entry administration (IAM) and privileged entry administration (PAM), bettering their safety infrastructure and making certain a extra sturdy safety posture. Now could be an ideal time to reinvent themselves from a safety standpoint, defending clients’ identities and their DNA knowledge.
DNA knowledge supplies probably the most everlasting private knowledge there may be, exposing victims of id assaults primarily based on the information to a lifetime of potential legal responsibility. As Tina Srivastava, co-founder of Badge, instructed VentureBeat in a current interview, “With 23andMe and DNA, you can’t reset it, you can’t change it if it’s compromised. It’s like a one-and-done situation. It’s not revocable. What Badge does is that we eliminate the storage of biometric data.”
David Aronchick, CEO of Expanso instructed VentureBeat that “one of the fundamental challenges for 23andMe is that while they possess an enormous amount of sensitive genetic data, they may not be fully equipped to extract its maximum value internally, especially without extensive research facilities.” Aronchick added that “traditionally, sharing this data with external parties has involved allowing downloads and trusting third parties to handle it responsibly—a method fraught with security risks – especially because the only way to enforce good behavior of the data is legally and with deep audits.” He stated 23andMe would battle with the size the answer method would require.
Merritt Baer, CISO at Reco instructed VentureBeat in a current interview, “Identity security isn’t just a technical issue, it’s a fundamental component of corporate trust between a company and its users. When executive leadership is in flux, the entire organization is exposed to questions around how an entity will enforce both the strategic and the tactical behaviors that customers need to see”.
Monetary instability is amplifying safety issues
For its first quarter of fiscal yr 2025 (FY25), which ended June 30, 2024, 23andMe reported a 34% year-over-year income decline, dropping from $61 million to $40 million. The steep decline was influenced by the termination of its partnership with GSK and a drop in private genetic providers (PGS) gross sales.
Regardless of some enchancment in adjusted EBITDA, the corporate’s web losses have been nonetheless vital at $69 million for the quarter. Their struggling analysis enterprise contributes to a multimillion-dollar loss, recognized for being exceptionally costly but failing to ship substantial income, as their quarterly outcomes present.
CNN studies that final month, 23andMe shuttered its inside drug analysis group.
With solely $170 million in money left, 23andMe faces a big money burn. It might want to elevate extra funds and contemplate an acquisition or an funding from personal fairness corporations pursuing healthcare. The Wall Road Journal not too long ago wrote, “23andMe has never made a profit and is burning cash so quickly it could run out next year.” 23andMe additionally introduced a telehealth platform, Lemonaid, promoting weekly injections of compounded semaglutide, the lively ingredient in Wegovy and Ozempic, by means of a brand new subscription product in an try to capitalize on the recognition of GLP-1 drugs for weight reduction, in response to the WSJ.
Personal fairness corporations are recognized for the depth of their due diligence earlier than investing in or buying firms, usually drilling down into the safety infrastructure and tech stack. Given 23andMe’s distressed monetary state, likelihood is it’s already on the acquisition radar of personal fairness corporations.
Their ongoing safety vulnerabilities might additional cut back the corporate’s valuation, making it extra enticing to personal fairness corporations in search of distressed belongings. Any future breaches would seemingly compound the corporate’s monetary instability and buy worth.
23andMe’s new board wants to incorporate not less than one CISO from healthcare who is aware of the right way to defend healthcare knowledge and is acquainted with the numerous compliance necessities and legal guidelines in that {industry}.
Baer remarked on the core challenges going through 23andMe’s board from a CISO perspective. “The board should be an accountability mechanism for the company— not just when it is convenient. The entire value proposition of 23andMe resides in the idea that folks will buy a genetic testing kit, but that was a questionable hypothesis (what happens after you buy it once? Your genes don’t change). Now it’s a questionable proposition because it relies on a presumption of trust—one that feels unreliable.”
23andMe is an interesting personal fairness purchase
Regardless of its challenges, 23andMe’s huge base of genetic knowledge primarily based on over 12 million kits being bought mixed with the work it’s been doing with healthcare professionals, medical researchers and the scientific neighborhood make it an interesting goal for personal fairness corporations.
The corporate’s present market capitalization is $170 million, with an enterprise worth of roughly $69 million. Personal fairness corporations with substantial investments in healthcare expertise and providers suppliers embrace Blackstone who not too long ago acquired Ancestry, KKR and TPG. Every of those corporations and others doubtlessly see the corporate’s situation and challenges as a possibility to amass 23andMe at a reduction.
The sale of 23andMe to an offshore personal fairness agency would elevate vital issues about U.S. residents’ genetic knowledge safety. When VentureBeat requested {industry} leaders, together with Srivastava for his or her perspective on a international purchaser buying 23andMe, she stated, “And I hope that given the national security implications of this, we don’t allow this to be given over, like you said to foreign parties that don’t respect the privacy of Americans.”
Eric Chien, Fellow, Symantec Menace Hunter Workforce at Broadcom, careworn the significance of some issues when VentureBeat interviewed him not too long ago. The key one is “knowing who has access to that data and the chain of custody.” With out these safeguards, 23andMe’s delicate knowledge may very well be liable to exploitation, additional complicating any potential sale.
“This is a fairly unique situation (all of the independent directors resigned), but it’s emblematic of other issues in governance, trust, security and the damage to the company when external and internal folks lose confidence,” Baer instructed VentureBeat.
Attackers after DNA knowledge additionally focused ethnic teams
In October 2023, 23andMe suffered a big knowledge breach resulting from credential stuffing assaults, the place hackers used login particulars obtained from different breaches to entry consumer accounts. The breach compromised the non-public and genetic knowledge of practically 7 million people. The data uncovered included names, beginning years and ancestry knowledge from 5.5 million clients utilizing the “DNA Relatives” function and 1.4 million customers utilizing the “Family Tree” function.
Probably the most alarming breaches of identities ever was the precise concentrating on of distinctive demographic teams, together with 1 million Ashkenazi Jews and anybody within the 23AndMe knowledge set of Chinese language descent. Attackers have been fast to leak the breached DNA knowledge on BreachForums and Reddit. Attackers additionally breached uncovered uncooked genotype knowledge, elevating issues concerning the potential misuse of genetic data for blackmail, unauthorized genetic analysis, or employment and insurance coverage discrimination.
23andMe delayed telling Ashkenazi Jews and Chinese language that their knowledge had been stolen. Consequently, in January 2024, the corporate confronted a class-action lawsuit accusing it of failing to guard delicate genetic knowledge adequately. The lawsuit was settled this month for $30 million, which included compensation for affected clients and commitments to strengthening cybersecurity measures.
“With great power comes great responsibility. 23andme plays in a space that they knew— or should have known— was extremely sensitive. And they are paying a settlement that responds to a suit specifically related to their failure to exercise enough security protection for the targeted attack against customers with Chinese or Ashkenazi Jewish ancestry,” Baer instructed VentureBeat.
Regardless of the settlement, 23andMe denied wrongdoing however agreed to implement extra safety protocols, reminiscent of obligatory two-factor authentication and annual cybersecurity audits, to forestall related incidents.
The corporate continues to face lawsuits, together with one the place they tried to deflect blame by telling customers that hackers took benefit of recycled credentials.
The place 23andMe wants to begin
DNA is by far probably the most potent type of id knowledge that exists. 23andMe’s preliminary efforts at MFA and audits don’t go far sufficient. Nevertheless, with adversarial AI difficult MFA’s reliability increasingly, the corporate has to reinvent itself considerably from a safety standpoint because it makes an attempt to broaden into therapeutics and scientific trials.
Listed below are 5 ideas of the place to begin:
Audit all entry credentials and delete any accounts that aren’t getting used now: A complete audit of all entry credentials is crucial to eliminating “zombie credentials,” as Ivanti’s CPO, Srinivas Mukkamala instructed VentureBeat, “Large organizations often fail to account for the huge ecosystem of apps, platforms and third-party services that grant access well past an employee’s termination. We call these zombie credentials, and a shockingly large number of security professionals — and even leadership-level executives — still have access to former employers’ systems and data.” Given 23andMe’s historical past of breaches, this is a wonderful place to begin.
Totally audit how new accounts are created and begin auditing each account with admin privileges. Attackers look to take over the brand new account creation course of first, particularly for admin privileges, as a result of that provides them the management floor they should take over your entire infrastructure. Most of the longest-dwelling breaches occurred as a result of attackers may use admin privileges to deactivate complete programs’ accounts and detection workflows to close down makes an attempt at discovering their breach.
Passwordless is the long run, so begin planning for it now. 23andMe’s senior administration wants to contemplate shifting away from passwords and adopting a zero-trust method to id safety. Gartner predicts that by 2025, 50% of the workforce and 20% of buyer authentication transactions shall be passwordless. Main passwordless authentication suppliers embrace Ivanti’s Zero Signal-On (ZSO) resolution, Microsoft Azure Energetic Listing (Azure AD), OneLogin Workforce Identification, Thales SafeNet Trusted Entry and others. Ivanti’s Zero Signal-On (ZSO) resolution is among the many most versatile options, combining passwordless authentication, zero belief and a simplified consumer expertise whereas supporting biometrics, together with Apple’s Face ID.
Confirm each machine and human id earlier than granting entry to any sources. One of many core ideas of zero belief is least privileged entry. 23andMe must implement it for each machine and human id earlier than granting entry. Which means present strategies of password authentication and the way clients can traverse household bushes and DNA Relative buildings have to be extra hardened towards lateral motion.
Get a fast win in microsegmentation by not permitting the implementation to tug on. Microsegmentation is a safety technique to divide networks into smaller, remoted segments. It’s confirmed efficient in decreasing the scale and vulnerability of an assault floor, permitting organizations to determine and isolate any suspicious exercise on their networks rapidly. Microsegmentation is a vital element of zero belief, as outlined within the NIST’s zero-trust framework.
The trail ahead
“In light of the current boardroom issues, establishing robust protocols for data governance is crucial. For instance, in the event of bankruptcy or significant organizational changes, the data could remain protected within a secure vault, accessible only under strict oversight by appointed custodians,” Aronchick suggested VentureBeat.
The challenges going through 23andMe transcend monetary losses and safety failures. With management in flux and the corporate’s future unsure, it should act swiftly to modernize its IAM infrastructure and safe its knowledge belongings.
As their efforts to reinvent themselves from a safety standpoint go, so will the success or failure of their efforts to regain investor confidence and stop additional breaches. The results of inaction are clear: delays in securing its programs may invite extra cyberattacks, eroding shareholder worth and additional endangering its monetary stability.
