Part 1: The data breach that exposed 6.9 million records at genetic testing and data company 23andMe isn’t only being fought in the courts as to who to blame (customers recycling already corrupted passwords versus a site vulnerability to brute-force hacking). It appears the hackers had specifically targeted people with Chinese or Ashkenazi Jewish heritage. Worse, 23andMe is not addressing that. The evidence was there as early as October.
- 1 October: an unknown person posts on the 23andMe subReddit that they had customer records, posting a sample of the stolen data. Supposedly this is how 23andMe found out that their user data had been hacked and stolen. (Editor’s note–this zero-trust breach beggars credibility in a tech-oriented company.)
- 6 October: 23andMe’s blog post announcement of the initial 14,000 records hacked in their customer base, which later grew to 6.9 million records revealed through the links to MyHeritage, in adding functionality to Family Tree, or sharing their information by opting into 23andMe’s DNA Relatives feature.
- 6 October: Wired’s reveal that earlier in that week, a hacker posted on BreachForums a data sample of what they claimed were 1 million records exclusively on those of Ashkenazi Jewish heritage, plus hundreds of thousands of records on those of Chinese heritage. By Wednesday, the hacker was selling what was claimed as 23andMe profiles with information on display name, sex, birth year, and details on genetic ancestry results, but not raw genetic data. Pricing was between $1 and $10 per account depending on number purchased.
- By December, 23andMe was squarely blaming users for reusing passwords (credential stuffing), even if they created a unique password, and denigrating their right to demand legal accountability from 23andMe on their lax security procedures. [TTA 6 Dec 23, 19 Jan]
None of the contacts that 23andMe has made with users since October, including the letter sent to breached users (via TechCrunch) refers to any specific ethnic group targeting.
World events made this targeting and timing very important. The brutal attack by Hamas in the south of Israel was the very next day after the breach was disclosed, 7 October. It killed 1,200 civilians, with over 200 hostages. Israel declared war on Hamas in Gaza which still goes on, as do the demonstrations against Israel and overt anti-semitism. Given the targeting evident in this breach of individuals with information for sale, by 11 January Representative Josh Gottheimer (CD-5, NJ) sent a letter to the director of the FBI to investigate the hacking, specifically because the information could be purchased via sites used by hackers to merch this type of information–and used to target Jews globally.
Third-party data included in the hack? There is also the possibility that DNA information from third parties such as Sequencing entered 23andMe’s database. In Illinois and other states, this type of sharing is illegal without specific consent. This information could also have been stolen without the knowledge of the individual. This has sparked additional class action lawsuits. The Times of Israel
Part 2: 23andMe is in poor shape financially. Like all too many companies that went public in 2021, 23andMe is a cracked SPAC that debuted in February 2021 above $16, with a company valuation of $6 billion, and now is trading on Nasdaq at $0.73 which gives the company a negligible value. Revenue is upside down and the company is torching through the $1.4 billion it raised both in the market and through private investment. The WSJ’s estimate in a far-reaching article is that it is 80% gone. Founder Anne Wojcicki’s stock has supervoting privileges which means she effectively controls the company, not the shareholders.
Both Ancestry (remember them?) and 23andMe had ups and downs from 2015 but the hype, especially after the Theranos implosion that year, was stunning. Genetics became The Next Big Thing That Would Save Health Tech. The large flaw–the market for genetic testing for ancestry and/or health is a ‘one and done’, which TTA predicted back in 2020 and earlier. Wojcicki guessed early on that a revenue model lay in selling de-identified genetic information to pharma. But their five-year exclusive deal with GSK ended last year and led to an 11% layoff [TTA 10 Aug 23]. Subscriptions for lifestyle counseling starting at $200 and exceeding $1,100 never took off. Growing their $4oo million Lemonaid buy from fall 2021 into a more robust and integrated telehealth platform never happened. Her long-term bet was moving into drug discovery using all that DNA data, but only two drugs of 50 have reached early-stage human trials.
Whether 23andMe will climb out of this crater, both financial and data security, as they did several times in early days, is to be seen. But Wojcicki’s personal brand apparently remains in great shape, unlike their data security. Also Futurism
*Updated 2 Feb for additional references, content, and copy editing