security

23andMe's lesson to tech elites: The days of sloppy security are over – Salon


This isn’t the first time at-home genetic testing company 23andMe has been in the news for a hack, but the recent breach — whose details were finally disclosed last week after going unnoticed for five months — appears to be its corporate coup de grâce. As reported by the Wall Street Journal this week, 23andMe’s stock is in the toilet after a 98%-value crash that (at the time of writing) left it at $0.68 a share, with NASDAQ still threatening to delist the company as it now faces four class action lawsuits

The company’s DNA database contained the most sensitive medical information of at least 14 million people — and 6.9 million of them had their genetic data stolen and put up for sale. Each person’s file contained account IDs, full names, sex, date of birth, full DNA profiles and location. Of that total, more than a million Ashkenazi Jewish profiles have also now been curated into a list by attackers.

The cyberattack went unaddressed from April 29 to Sept. 27, and the company finally asked people to change their passwords in October. By December, it notified customers of the breach, according to TechCrunch. And, by Jan. 11, calls began for Congress to investigate

Sitting atop this burning pile of “everyone told you this was coming” is 23andMe’s billionaire CEO Anne Wojcicki. From her earliest days heading the company, it seems she’s been digging it into a scientific and regulatory hole while dismissing privacy-ethics concerns with typical Silicon Valley hand-waving and hollow security reassurances. 

I’m not just picking on a figurehead. Wojcicki raised around $1.4 billion for 23andMe (about 80% of which she’s reportedly burned through) and, with stock-based supervoting privileges, she’s got full control over her company. Since 2009 she’s made a show of having the reins, though not much show of her security advancements. Of course, innovative notions don’t seem to be her forté.

Readers Also Like:  Robot police dog returns to NYPD despite earlier criticism - The Associated Press

As the Journal detailed in its scathing report, 23andMe wasn’t even Wojcicki’s idea. Nor initially her company. It was Linda Avey’s — a genetics expert who already had a business and knew Google co-founder Sergey Brin. Avey told Brin about her company in 2005, back when he and co-founder Larry Page were building Google out of the fabled Menlo Park garage. That garage belonged to Anne’s sister Susan Wojcicki, later the CEO of YouTube. Susan introduced Brin to Wojcicki, and the two started dating. 

“I get minimum wage,” Wojcicki said.

Since Wojcicki was a Google Girlfriend and Avey needed Google-sized money, she agreed to let Wojcicki come aboard. To no one’s surprise, two weeks after Brin and Wojcicki married in 2007, Google cut the check and 23andMe was born. Apparently limelight-hungry and insecure, Wojcicki flexed her status as Mrs. Google in 2009 to back-stab Avey — reportedly using her cachet to push 23andMe’s board to fire the genetics expert in a surprise meeting. 

The cracks started showing in 23andMe’s shoddy science in 2010, and the Government Office of Accountability called the company out for misusing people’s DNA data for slippery tea-leaf reading about their health. But it didn’t matter, really, given the company’s self-stated goal: building the ultimate motherload of profitable DNA data. 

Writing for Salon almost exactly 10 years to the day, in 2014, Benjamin Winterhalter called it.

“The idea of a massive genetic database holds all the ominous potential,” he wrote. “Their kit is merely the prototype for a kind of bioinformatics product that companies will package and market to us in the years to come …. 23andMe is, in the final analysis, a marketer of data.” 

Fair call. As Salon noted in 2013, the Food and Drug Administration had already ordered 23andMe to stop selling its spit kits “without marketing clearance or approval.” But it took six years before the FDA issued a formal order. In 2015, it gave 23andMe the greenlight again and the company raised $115 million. By 2017, 23andME was telling customers whether they were at risk for 10 diseases based on the company’s skewed comparison catalog.

Readers Also Like:  What to do about the rise of financial fraud - Security Intelligence

Drug giant GlaxoSmithKline bought access to 23andMe’s database in 2018 for $300 million, and Wojcicki promised “no individual will be identifiable” via DNA results. But 23andMe began identifying people that year, specifically immigrants, when it offered to help reunite families separated by Trump administration agents at the Mexican border.  

“DNA samples can be taken from all those in custody, with a commitment to respect their privacy,” Rep. Jackie Speier (D-Calif.) proposed after approaching the company.

Are we sure privacy was respected even before the latest hack? Of course not. After all, Buzzfeed News revealed in 2019 that another gene-test company, FamilyTreeDNA, had been giving the feds access to its own database. Given the gag orders used by authorities under the Patriot Act and the lack of privacy laws in the US, we might never know how much data 23andMe has already handed the feds — nor how many data breaches it may have quietly sealed up in-house before this one got out. 

You know the craziest thing about all this? 23andMe reportedly never made a profit. It was always just a bet that rode on some rich people’s last names, staying afloat for 16 years on a promising “maybe,” while Wojcicki got paid.

But Wojcicki was on a spree in 2019, doubling staff in a massive new building. She dropped another $400 million in 2021 for telehealth company Lemonaid. And reached peak celebrity when 23andMe went public, riding a $6 billion valuation. It didn’t matter that only two of the 50 possible drug candidates developed with its database ever got close to market approval, she still set up a 150-person drug outpost during the 2022 cash crunch. By the end of 2023, she fired half that staff, hit 23andMe with three rounds of layoffs, and sold off a subsidiary.

Readers Also Like:  Defense, security & justice - Deloitte

Wojcicki made $33 million in 2021. That’s absurd even by Silicon Valley standards. She made $20 million the year before. And when the Journal asked her about it last week, her response was such a transparent line of crap that everyone who read that article could see straight through her costly and careful facade. 

“I get minimum wage. I’ve never been paid in cash,” she said. 

I think her better quote came when she previously bragged to Fortune about being a billionaire: “Having cash — and being able to fund projects — opens up doors.”

I’m sure she’s right, and that her cash will open up plenty of doors for her in the coming months. Office doors of lobbyists, lawyers, and judges. Since billionaires are such special, precious babies who can never be allowed to see the inside of a jail cell, maybe that cash will open the doors to her private jet for her — which she will board with whatever coterie of Yes-men she keeps around to prop up her delusional notions of tech ethics. Maybe, if we’re all lucky, she can then flee any trace of accountability for her starring role in this mess, as she seems to so desire, and relieve us all of having to watch the remainder of her company’s grotesque spectacle.

An earlier version of this article originally appeared in Salon’s Lab Notes, a weekly newsletter from our Science & Health team.

Read more

about tech-billionaire boondoggles





READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.