In a dramatic turn of events, 23andMe has found itself grappling with the repercussions of a significant data breach that occurred in 2023. As a result, the breach may have exposed sensitive genetic information for almost seven million people across the globe. Accordingly, the company’s market capitalization crashed over 95%. Since that point, 23andMe’s value on the public market has declined by more than 97 percent. This catastrophic drop has sparked calls for immediate change in its governance and structure.
Pointing to the growing choppiness, this week the company experienced the upset resignation of seven independent directors in September. This exodus en masse is indicative of the rising alarm over the organization’s governance and security practices. Anne Wojcicki, their original founder and CEO at the time of the breach, is betting big on going private again with 23andMe. This change represents a smart turn of events for the company as it seeks to recover from its ongoing plight.
The breach has had wide-ranging effects, including a Chapter 11 bankruptcy filing in late March. Similarly, 23andMe found its own services in much lower demand. In light of this and the aftershocks of a 2020 data breach, the company opted to sell its business at auction. Security missteps were central to the breach. The lack of secure authentication standards and multi-factor authentication contributed to the breach.
The UK’s Information Commissioner, John Edwards, has repeatedly called the company out for its inability to provide a legal basis. Additionally, he said that 23andMe’s security protocols are inadequate. He cautioned that absent effective remediation, the company should expect to see further enforcement actions.
“They’ve failed to reach the standard required by U.K. law. If they don’t remedy that, they will remain in breach and could be exposed to further enforcement action.” – John Edwards
The breach had a direct impact on users, including an estimated 320,000 Canadians and 150,000 UK users. 23andMe was ultimately fined $9 million for the security lapse. UK enforcement authorities levied a £2.31 million fine, and in the US, the company was required to pay a $30 million fine and undergo three years of security oversight.
In light of these concerns, 23andMe has started adopting several recommendations put forth by Canadian and UK privacy commissioners. But despite initial optimism, doubts remain about how well they’ll work. Philippe Dufresne, Canada’s Privacy Commissioner, was quick to point out that there are lasting obligations that persist for the leadership of 23andMe.
“We’ve indicated in the report that we will be following this carefully, that the obligations should continue to apply to any new owner and that if there are any concerns that our citizens can reach out to us and we’ll take the appropriate steps,” – Philippe Dufresne
Dufresne further stressed the need to make data protection a priority in the ever-evolving, data-driven landscape.
“With data breaches growing in severity and complexity and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable,” – Philippe Dufresne
As a result of this breach, 23andMe has strongly diminished its competitive advantage in the market. It has prompted through litigation to have impactful discussions about data security practices at technology companies. This is a story with deep implications that stretch far beyond the dollar amounts alone. It underscores the urgent need for firms to adopt rigorous security practices to protect sensitive consumer data.
