Genetic data for sale: Lessons learnt from 23andMe downfall

Stories have power, and stories about adverse consequences for other organizations can hold the most power, because they help us all learn from the mistakes of others. Negative stories help organizations see practical implications of decisions and, hopefully, prevent the same or similar pitfalls within their own organization. Negative stories help put faces and real-world scenarios to lessons that are much easier to learn vicariously than directly.  

To this end, an excellent question to ask about negative stories is, “How could we become <insert company name>?” 

In other words, company risk leaders that take the time to understand the story of a company that had challenges and ask how the fact patterns in that story could apply to their own company, can help detect and prevent similar risks in their own company. The story of 23andMe is an excellent example of a powerful story from which many companies can learn and benefit. It is a story about the importance of a customer-centric orientation and the customer trust that it engenders.  

The background: Where did 23andMe go wrong?

23andMe is one of many companies that offers genetic testing. It offers several services, including gene sequencing to detect disease-causing variants and predict health risks, and ancestry reports. There is also functionality through which relatives can identify each other (on an opt in basis) based on their genetics and connect with one another. This means that 23andMe collects and maintains some of the most sensitive data possible – including health and race/ethnicity information.  

In October 2023, 23andMe reported a data breach. The breach was a result of what is called a credential stuffing attack – a technique through which a bad actor uses known username/password combinations against other websites. Given that many consumers use the same username/password combination for access to multiple accounts and websites, there is a good chance that credential stuffing attacks will succeed for some percentage of accounts on sites without multi-factor authentication.  

Though 23andMe put in place multi-factor authentication after the breach, the company did not have in place that security measure at the time of the breach. As a result, the 23andMe credential stuffing attack was successful for around 14,000 accounts across approximately 5 months. Hackers gained access to raw genotype data, health predisposition reports, and carrier status reports. Additionally, because of data-sharing functionality, hackers also gained access to slightly less/less sensitive data about more than 5 million users who opted in for the feature that allows them to identify and connect with relatives. 23andMe publicly admitted to the breach only after a user posted that 23andMe data was up for sale. The company also stated that it did not identify the attack within its own systems.  

The impacts: Lawsuits, mistrust and bankruptcy

In addition to brand damage resulting from this breach, as is the case with many breaches, 23andMe subsequently faced lawsuits related to the incident. Moreover, when customers took legal action against the company, 23andMe responded in a letter to several of these customers, claiming that the breach could not result in any harm to data subjects. This letter also blamed the victims for their situation, stating that the victims negligently recycled passwords. Victims (and their attorneys) and the media disagreed.

They argue that multi-factor authentication protocols could have reduced the risk of successful credential stuffing attacks. Stronger security protocols could also have detected and acted on attacks. Moreover, victims and the media argue that sensitive data obtained through 23andMe could be used by foreign governments and individuals to identify and harm (physically or through extortion) individuals because of their race/ethnicity or ancestry relationship. Others imagine scenarios in which employers or insurance companies could misuse information about a person’s health risks.  

Impacts to 23andMe have been substantial. The company went public in 2021 at a value of $3.5 billion. By 2024 it was worth $300 million. It also settled a class action lawsuit to the tune of $30 million. Having never turned a profit, 23andMe just recently declared bankruptcy.  

Lessons learnt: Customer trust is monumental

If we ask the question, “How could my company become 23andMe?” the answer boils down to “ignoring the power of customer trust.”

At each step in the 23andMe use case – from prevention to detection to customer interactions – the company failed to realize the dramatic impact that the lack of customer trust would have on its business. At the most basic level, the company acted in ways that destroyed customer trust, and as a result the company itself was lost.  

There’s also further questions now as to what happens to the data they own, should 23andMe be sold to the highest bidder. Whilst they’ve maintained that all data is secure and protected, privacy professionals are recommending that consumers delete their data as a safeguard. Because who trusts a company that’s made this many missteps?

By identifying ways to NOT travel the path of 23andMe, the moral of the 23andMe story becomes apparent: 

• Accurately assess data risk – Whether through Data Protection Impact Assessments (DPIAs), security risk assessments, or implementing comprehensive privacy technology, an organization that accurately predicts the risk of potential harm to data subjects if the data get into the wrong hands will make better and more targeted decisions related to security and privacy measures commensurate with that risk.  
• Employ strong security – Security is not just a matter of asking people to set up (recycled) passwords. Especially organizations that manage sensitive data, employing multi-factor authentication and other stronger measures will help prevent breaches. Moreover, establishing internal controls designed to detect and act on suspicious activity will help control the bleeding if a breach does occur.  
• Take responsibility – Bad things can happen to good companies. When they do, good companies take responsibility. Victim blaming is not a productive strategy.  

In summary, the 23andMe case study does an excellent job of illustrating how a lack of customer-centric design in privacy and security leads to poor decisions that leads to low customer trust, and how the degradation of customer trust can kill a company. An organization that asks itself how it can prevent a similar freefall will conclude that taking real actions that put the customer first – such as assessing data risk, employing sound security strategies, and taking responsibility – will earn customer trust. Without that customer trust, especially with sensitive personal data, a company is likely to fail.