In October 2023, 23andMe suffered a massive data breach that exposed the genetic information of millions of users. The breach, caused by a credential stuffing attack, has raised serious concerns about the security of sensitive DNA data entrusted to the company.
The breach affected approximately 6.9 million users, including 5.5 million who had opted into the “DNA Relatives” feature and 1.4 million whose “Family Tree” profile information was accessed. Hackers specifically targeted certain demographic groups, such as users of Ashkenazi Jewish and Chinese descent, raising fears about the potential misuse of genetic information for blackmail, unauthorized research, or discrimination.
This incident comes at a time when 23andMe is facing significant leadership and financial challenges. In September 2024, all seven independent directors resigned due to disagreements with CEO Anne Wojcicki over the company’s future direction. The company also reported a 34% year-over-year revenue decline and net losses of $69 million in the first quarter of fiscal year 2025.
The breach highlights the critical need for robust security measures to protect sensitive genetic data. The Atlantic reports that 23andMe has taken steps to enhance security, such as implementing mandatory two-factor authentication and committing to annual cybersecurity audits. However, experts recommend further actions, including auditing access credentials, adopting passwordless authentication, and implementing micro-segmentation to reduce the attack surface.
VentureBeat says that DNA data is the most personal data that exists, exposing victims of identity attacks to a lifetime of potential liability. As Tina Srivastava, co-founder of Badge, told VentureBeat in a recent interview, “With 23andMe and DNA, you can’t reset it, you can’t change it if it’s compromised. It’s like a one-and-done situation. It’s not revocable. What Badge does is that we eliminate the storage of biometric data.”
The potential sale of 23andMe to a private equity firm, especially a foreign one, raises additional regulatory and ethical concerns. The security of genetic data is not only a matter of individual privacy but also of national security, as it is a critical asset that requires strong protection.
Users of 23andMe are advised to take immediate action to protect their accounts by resetting passwords and enabling two-factor authentication. They should also review and manage their sharing settings within the platform to control access to their genetic information.
In response to the breach, 23andMe has agreed to a $30 million settlement in a class-action lawsuit, which includes compensation for affected customers and commitments to strengthening cybersecurity measures. Data protection authorities in the UK and Canada are also conducting investigations to assess the company’s security practices.
As 23andMe navigates these challenges, it must prioritize the security and trust of its users to ensure the long-term integrity of its services. Protecting genetic data is a shared responsibility that requires ongoing vigilance and collaboration between companies, regulators, and individuals.
