The 23andMAGA Lessons for the 21st Century
How the 23andMe case is exemplary of the risks of mishandled privacy in an era in which authoritarian regimes partnering with tech oligarchs is becoming the new normal
Welcome to another issue of Sudo Make Me a CTO. In Today's article, I will focus on a topic often dismissed as unsexy, boring, and bureaucratic, but which I believe is at the core of our responsibilities as technology leaders: user privacy.
I want to take inspiration from the trajectory of a Silicon Valley company that rose and fell spectacularly, raising many reasonable concerns about our relationship with sensitive personal data: 23andMe.
The Story of 23AndMe
23andMe was founded in 2006 by Anne Wojcicki, Linda Avey, and Paul Cusenza1. The name refers to the 23 pairs of chromosomes in a normal human cell. The founders aimed to democratize access to personal genetic information, allowing users to learn about their ancestry and potential health predispositions.
After some troubles with the FDA in 2013 forced the company to stop providing health interpretation reports to customers, from 2015 onwards, 23andMe managed to work collaboratively with the FDA and received subsequent authorizations to generate health-related reports and recommendations for their users.
The company went public in June 2021, at the tail end of the decade of ZIRP2, which made cash easily accessible and valuations for tech companies insanely optimistic. The company went public through a merger with a SPAC backed by Richard Branson's Virgin Group.
After the initial valuation of about $3,5B, the company stock value peaked at about $6B later in the same year before starting a downward trend that has continued ever since.
More recently, the company was the victim of a massive data breach that went undetected for months between May and October 2023, affecting the data of about 6.9 million users3.
Many bad things contributed to that data breach, something we'll get into later.
Multiple individual and class actions ensued, and the company agreed to a $30 million settlement in September 2024. By then, the company valuation had already reached the penny-stock4 status, losing more than 98% of its peak valuation.
The whole board of directors left the company, while the CEO Wojcicki failed many attempts at taking the company private under her lead.
Ultimately, the company filed for Bankruptcy on March 24th, 2025, just a few weeks ago.
The story of 23andMe could simply be archived as yet another story of ego-driven and delusional techno-entrepreneurs cherished and supported by the investor community mainly for their eloquence, stubbornness, network, and personal brand rather than competencies and values.
There is a long list, from Adam Neumann to Sam Bankman Fried, from Elizabeth Holmes to the co-founder and CEO of 23andMe, Anne Wojcicki.
There are deeper concerns in this case that go beyond the need for developing antibodies to fend off the attacks of enthusiastic propaganda coming out of the valley that tends to idolize people based on how much money they're able to raise or accumulate, often dismissing deeper considerations about how they got there and who had to lose for them to win.
These concerns are, I believe, relevant to you, dear readers. I break them down into first-order and second-order learnings.
First-order learnings
The story of 23andMe is a reminder of two things:
Data security is a very serious business
Most companies don't take it seriously enough
Let's tackle the two points in order.
Data Security is a very serious business.
The financial and reputational losses a company suffers due to a serious data breach can be the difference between being in business and filing for bankruptcy. I've been having this discussion with executive teams countless times, yet most of the time, those warnings are received with shrugs and statements such as "Startups can't be that risk-averse if they want to have a chance at succeeding."
I hope the 23andMe story demonstrates just the opposite.
By the company's own admission, the breach and its consequences, both on finances due to the $30 million settlement and on sales due to the company's reputation going bonkers, have been major drivers for the need to file for bankruptcy in March 20255.
Granted, there is apparently a long list of stupid business decisions that contributed to the company's failure, not to mention the power struggle and ego-dances between the original cofounders, the CEO, and the board. But those are almost table stakes these days; just look at OpenAI for an example.
Furthermore, having poor cybersecurity practices in place is a business decision, especially if you're a company trusted by some 15 million users with the most personal data they can put in your hands: their genomics data.
Most companies don't take it seriously enough.
Complying with data privacy regulations, especially for a small firm, can be a nontrivial challenge. This is especially true when some of those initiatives are internally driven more by an intention to comply with the letter rather than the spirit of the law.
That's how you end up with annoying and intrusive cookie consent modal windows everywhere, standing on systems that fail to protect users’ data at a more fundamental level.
As a friend and former colleague would say, when it comes to privacy, we often paint the walls rather than fix the foundations of a crumbling building.
The 23andMe case is an excellent illustration of the overall attitude towards data privacy and data protection in this industry.
They had lawyer-proof terms and conditions and privacy policies on their site. They made recurring public declarations about taking the data their users had trusted with them with the utmost seriousness and care.
The breach they suffered tells a very different story. Besides the fact that in their official statements, the legal representatives from the company essentially blamed their users for lousy security practices, the meat is in how incident unfolded.
The breach was discovered after someone external to the company posted a message on the unofficial 23andMe subreddit. Read that again.
That single sentence contains enough material to fire the whole executive team for incompetence and fraud. This is precisely how they reported the incident in their official filings with the authorities:
On October 1, 2023, a third party posted on the unofficial 23andMe subreddit site claiming to have 23andMe customers’ information and posting a sample of the stolen data.6
Not only did they not detect the break internally, but according to the same filings, the attack had been ongoing between May and September 2023.
Five months of malicious activity on the site had gone completely undetected.
The immediately following actions were nothing more than another sign of incompetence and wrongdoing on the company's part. On November 6th, 23andMe enabled mandatory two-factor authentication (2FA) to protect user accounts from unauthorized access.
In other words, a company that had been in the business of dealing with extremely sensitive personal data for almost two decades, reaching a peak valuation of $6B, enlisting hundreds of the brightest and most competent employees you could find on the planet thought it reasonable to enforce 2FA only after failing to protect the data of about 6,9 million users.
When something so obviously wrong can happen at that scale, what should we expect from companies that handle less sensitive data, bolster less hyped valuations, and can't afford to hire in the cradle of technology?
How many daily sacrifices to responsible data handling and protection are being perpetrated on the altar of friction removal, or because someone still lives by the move fast and break things motto?
In this moment in history, which is dominated by neoliberal theories and where institutions are constantly blamed and accused of being obstacles to economic growth, I'd say that what happened with 23andMe is a clear failure of regulations and institutions.
It's a failure because they did not prevent it from happening. Entrepreneurs such as Anne Wojcicki are given too much latitude to harm millions of people and systems to avoid that are not nearly as sophisticated as they should be.
Such a view is only reinforced by second-order considerations.
Second-order considerations
The most concerning aspect of the 23andMe story emerges more clearly as you start connecting the dots between the facts, the history of the past 100 years, and what's happening right now in front of everyone's eyes.
The breach was discovered in October 2023 because a sample of the stolen data had been published on BreachForum, a well-known black-hat security crime forum. The sample proved the danger associated with large databases of genetic data: it targeted specific ethnicities.
Specifically, it contained data targeting mostly Ashkenazi Jews but also included many records of ethnic Chinese people.
Coincidentally, around the time the 23andMe company was established, around 2006 or 2007, I had a conversation with someone who forever changed my perspective on privacy.
We were talking about privacy, social networks, and individual digital rights in general. At the time, I was among those who relied on a naive interpretation of privacy. This familiar take could have easily summarised my stance: I am a law-abiding citizen with nothing to hide. Why should I make a big deal out of privacy?
They replied with a question that has stayed with me ever since:
Can you imagine what would have happened if Adolf Hitler had had access to Facebook?
Granted, at that moment, I considered the chances of an authoritarian regime threatening my freedom and the freedom of those around me to be very unlikely, yet it helped me develop a completely different perspective on privacy and the importance of striving for its protection as a general immune system against abuses.
Fast forward some twenty years later, and what used to be called the land of freedom has now turned into an authoritarian regime where governmental institutions are being dismantled with the excuse of efficiency, effectively turning the elected president into an autocrat in the same style of Vladimir Putin, just more arrogant, ignorant and vulgar.
Trump has already organized mass deportation of so-called criminals, in practice, first or second-generation immigrants issued from particular ethnic groups7. His acting and decisions are so erratic that you don't know who's next in the persona non grata list.
The dystopian but increasingly realistic scenario of 23andMe's database being liquidated for pennies as just one of the company's many assets should scare everyone who has used the service. Trump is surrounded by broligarchs8 for whom that purchase would be little more than a rounding error on their balance sheet. What can happen next is the answer to the question my friend used to open my eyes:
Can you imagine what would have happened if Adolf Hitler had had access to Facebook?9
What to do?
As the saying goes, extraordinary times require extraordinary measures.
As an engineering leader, this is the time to become an even more vocal advocate for proper privacy measures to protect your users’ data. Ask yourself how comfortable you would be knowing that your company stores and manipulates your children's data.
You know what you will need to do if the answer is not a ten-over-ten.
As a person, stop drinking the shallow narrative that opposes the progressive and entrepreneurial culture of America (or China, or Russia) with the old-school bureaucratic Europe, which seems to be more concerned with bottle caps than with "making a lot of money," to quote the POTUS.
Such shallow diagnoses might work well for a tweet but lack the nuance and depth that we humans who have been equipped with the most advanced known form of Natural Intelligence should practice diligently.
Think of your digital life as if you were a Jew in Germany in the 1930s trying to escape the Gestapo and all the collaborationist entrepreneurs who sided with Hitler.
When your freedom and life are at stake, a frictionless sign-in process or knowing whether you are genetically inclined to sneeze when looking into direct light10 should become secondary concerns.
If you enjoyed this
This newsletter is free, and I intend to keep it free forever.
Sharing it with others helps immensely in growing it.
Engaging with my professional services is a great way to ensure I can continue dedicating many hours each week to producing what I hope to be high-quality content.
Those services articulate around three legs:
Fractional CTO or Advisory roles for startups, scaleups, and established tech companies. Find out more on this page.
Individual Mentoring and Coaching for Engineering Leaders. Find out more on this page.
A paid Community for engineering leaders. Find out more on this page.
If your needs fall into a different category, such as newsletter collaborations or sponsoring, please reply to this email or schedule a free call via this link.
If this pissed you off
Please share your thoughts in the comments, write a follow-up, or use whatever channel you prefer to share your thoughts, and make sure to link them here. I'm constantly refining and nuancing my views on such complex topics, and I welcome new input regardless of where it's coming from.
I've consulted multiple sources for this article, but I always recommend checking the relevant Wikipedia page as a starting point if you want to find more references and details.
Zero Interest Rate Policy. In layman's terms, the cost of borrowing money was basically zero, which caused an overflow of cash in the tech sector. More about it on Wikipedia.
Considering that the company had reported selling about 12 million genetic test kits to customers worldwide, the fact that the breach touched some 7 million users only illustrates how serious the incident has been.
Yes, this is another Wikipedia link for the curious.
Source: the data breach report from 23andMe.
There are plenty of resources online about this topic for those who care to educate themselves outside of the official propaganda. This article is a good example of how the US administration violated fundamental civil rights in this affair. Do you want to make their lives easier by providing them with data about your DNA?
While writing this article, I serendipitously encountered this recent TED talk from Carole Cadwalladr. In it, she makes an even more compelling point about the need to protect our privacy. She also coined the broligarch term, which I intend to abuse going forward.
Beyond mass deportation of ethnic groups, all sorts of discrimination and abuses would become easier and more effective. Maybe DOGE, after all, stands for Department of Gestapo Efficiency. Rather than the proverbial sky, human decency would be the limit here. Unfortunately, we've seen very little of that around the block lately.
I'm not making this up.
I don’t think the data breach liabilities meaningfully contributed to 23andme’s bankruptcy. More like cherry on top.
Furthermore, the economics of the situation point more towards bad security constituting negative externality (and negligible cost of doing business).
Therefore your argument becomes solely an ethical one, and I don’t see how it would prevail, in real life, against economic incentives.