This isn’t the first time at-home genetic testing company 23andMe has been in the news for a hack, but the recent breach — whose details were finally disclosed last week after going unnoticed for five months — appears to be its corporate coup de grâce. As reported by the Wall Street Journal this week, 23andMe’s stock is in the toilet after a 98% value crash that (at the time of writing) left it at 68 cents a share, with NASDAQ still threatening to delist the company as it now faces four class action lawsuits.
The company’s DNA database contained information on at least 14 million people, and nearly half of those accounts were exposed in the data breach, with at least some genetic data stolen and put up for sale. A subset of those accounts — 23andMe says it was no more than 16,000 — had private health information extracted, along with genetic information on family members and relatives. More than a million profiles of users with Ashkenazi Jewish ancestry were reportedly curated into a list by attackers.
The cyberattack apparently went unnoticed until early October, when the company finally asked users to change their passwords. By December, it notified customers of the breach, according to TechCrunch. And by Jan. 11, calls began for Congress to investigate.
Related
Micro-medical machines like "The Magic Schoolbus" are being developed, but safety concerns remain
Sitting atop this burning pile of “everyone told you this was coming” is 23andMe’s billionaire CEO Anne Wojcicki. From her earliest days heading the company, it seems she’s been digging it into a scientific and regulatory hole while dismissing privacy-ethics concerns with typical Silicon Valley hand-waving and hollow security reassurances.
I’m not just picking on a figurehead. Wojcicki raised around $1.4 billion for 23andMe (about 80% of which she’s reportedly burned through) and, with stock-based supervoting privileges, she’s got full control over her company. Since 2009 she’s made a show of having the reins, though not much show of her security advancements. Of course, innovative notions don’t seem to be her forte.
As the Journal detailed in its scathing report, 23andMe wasn’t initially Wojcicki’s idea. It was Linda Avey’s — a genetics expert who already had a business and knew Google co-founder Sergey Brin. Avey told Brin about her company in 2005, back when he and co-founder Larry Page were building Google out of the fabled Menlo Park garage. That garage belonged to Anne’s sister Susan Wojcicki, later the CEO of YouTube. Susan introduced Brin to Wojcicki, and the two started dating.
"I get minimum wage. I've never been paid in cash," claimed the 23andMe CEO.
Since Wojcicki was a Google Girlfriend and Avey needed Google-sized money, she agreed to let Wojcicki come aboard. To no one’s surprise, two weeks after Brin and Wojcicki married in 2007, Google cut the check and 23andMe was born. Apparently limelight-hungry and insecure, Wojcicki flexed her status as Mrs. Google in 2009 to back-stab Avey — reportedly using her cachet to push 23andMe’s board to fire the genetics expert in a surprise meeting.
The cracks started showing in 23andMe’s shoddy science in 2010, and the Government Accountability Office called the company out for producing “test results that are misleading and of little or no practical use.” But it didn’t matter, really, given the company’s self-stated goal: building the ultimate motherlode of profitable DNA data.
Writing for Salon almost exactly 10 years to the day, in 2014, Benjamin Winterhalter called it:
“The idea of a massive genetic database holds all the ominous potential,” he wrote. “Their kit is merely the prototype for a kind of bioinformatics product that companies will package and market to us in the years to come…. 23andMe is, in the final analysis, a marketer of data.”
We need your help to stay independent
Subscribe today to support Salon's progressive journalism
Fair call. As Salon noted in 2013, the Food and Drug Administration had already ordered 23andMe to stop selling its spit kits “without marketing clearance or approval.” But it took six years before the FDA issued a formal order. In 2015, it gave 23andMe the green light again and the company raised $115 million. By 2017, 23andMe was telling customers whether they were at risk for 10 diseases based on the company’s skewed comparison catalog.
Can we be sure that user privacy was respected at 23andMe, or at similar companies, even before the latest hack? Buzzfeed News revealed in 2019 that another gene-test company, FamilyTreeDNA, had given the federal government access to its own database. In a statement emailed to Salon after the first version of this article appeared, a 23andMe spokesperson said that the company “has never shared customer data with law enforcement or the federal government.” Given the gag orders used by authorities under the Patriot Act and the lack of privacy laws in the U.S., it’s impossible to verify that, or to know whether any previous data breaches have gone undiscovered.
Related
"Immoral" spy program: DHS collecting domestic intelligence in "shady" operation
You know the craziest thing about all this? 23andMe reportedly never made a profit. It was always just a bet that rode on some rich people’s last names, staying afloat for 16 years on a promising “maybe,” while Wojcicki got paid.
But Wojcicki was on a spree in 2019, doubling staff in a massive new building. She dropped another $400 million in 2021 for telehealth company Lemonaid. And reached peak celebrity when 23andMe went public, riding a $6 billion valuation. It didn’t matter that only two of the 50 possible drug candidates developed with its database ever got close to market approval, she still set up a 150-person drug outpost during the 2022 cash crunch. By the end of 2023, she fired half that staff, hit 23andMe with three rounds of layoffs and sold off a subsidiary.
Wojcicki made $33 million in 2021. That’s absurd even by Silicon Valley standards. She made $20 million the year before. And when the Journal asked her about it last week, her response was such a transparent line of crap that everyone who read that article could see straight through her costly and careful facade.
“I get minimum wage. I’ve never been paid in cash,” she said.
I think her better quote came when she previously bragged to Fortune about being a billionaire: “Having cash — and being able to fund projects — opens up doors.”
I’m sure she’s right, and that her cash will open up plenty of doors for her in the coming months. Office doors of lobbyists, lawyers and judges. Since billionaires are such special, precious babies who can never be allowed to see the inside of a jail cell, maybe that cash will open the doors to her private jet for her — which she will board with whatever coterie of yes-men she keeps around to prop up her delusional notions of tech ethics. Maybe, if we’re all lucky, she can then flee any trace of accountability for her starring role in this mess, as she seems to so desire, and relieve us all of having to watch the remainder of her company’s grotesque spectacle.
An earlier version of this article originally appeared in Salon's Lab Notes, a weekly newsletter from our Science & Health team.
CORRECTION: This article has been revised, updated and corrected in a number of areas. As initially published, the article implied that detailed personal information had been extracted from 6.9 million 23andMe accounts in the 2023 data breach. According to a response from 23andMe after publication, that was incorrect. Some genetic data was extracted from millions of accounts, but the company says personal information was scraped from only a small proportion of those. The chronology of events following the data breach has been clarified. A Government Accountability Report from 2010 has been more accurately summarized. A disputed characterization of GlaxoSmithKline’s 2018 investment in 23andMe has been removed, as has the suggestion that 23andMe was involved in identifying immigrants for the purpose of family reunification, a proposal that was never put into practice.