00:00The gentleman yields. Mr. Crane, the gentleman from Arizona, is recognized for five minutes for questioning.
00:07Thank you, Mr. Chairman. According to public reporting, individuals with Jewish and Chinese heritage were targeted in the hack that happened a couple years ago at 23andMe.
00:22Ms. Wojiecki, why were Chinese and Jewish individuals targeted during this hack?
00:27Ms. That's a great question. I don't believe it was specifically those individuals.
00:35It was definitely something that was reported in the media, and there were a lot of Jewish relatives that were in some of that information,
00:42but I don't believe it was necessarily a specific attack on those. It was the credential stuffing.
00:47But didn't one of the individuals say that he would sell information about individuals with Jewish heritage?
00:55Ms. They did report that they said that.
00:58Okay. Interesting. Having people's personal DNA profiles unsecured is obviously a very serious issue.
01:07It could be used to develop bioweapons, force readiness analysis, Black-Miller coercion, and pharmaceutical targeting.
01:18I noticed when Ms. Presley asked if you would allow consumers who had submitted their DNA to 23andMe to erase their data from the site before the sale to a new buyer,
01:30neither of you could answer yes. I want to go into that for a second.
01:34Why could neither of you answer yes if both of you claim that the owners of the DNA is actually your customers?
01:42Mr. Our customers always have control over their data.
01:47They can, you know, basically they can access their data, they can edit their data, they can opt in or out of any research consent,
01:54and most importantly, at any time they so choose to, they can delete their data.
02:00In the case of...
02:01Then why can't you answer Ms. Presley's question that way?
02:05Do you remember that question, sir?
02:07I don't remember the exact question she asked, but for our customers, you know...
02:12Her question, sir, was will you give your customers the ability to opt in, back in, before the sale to a new owner that they didn't submit their data to?
02:25I believe her question to me was, will we give people direct notice to say that they can opt out, opt in or out of keeping their data?
02:37You know, what I am saying today is, at any time, and this has been the case since the founding of 23andMe,
02:44a customer can delete their data.
02:46It's an automated process.
02:47They simply go into their account, click, you know, go to the settings, and they can click delete their data.
02:53It's an automated process.
02:55We delete all their digital data, and if they've biobanked the sample and consented to that, we destroy that sample.
03:04And we do that timely, and we've done that for every customer who requested us since, you know, since inception,
03:11including the large number of customers who requested the deletion of their data since the bankruptcy.
03:15How difficult is it to do that, Mr. Selsovich?
03:19I think it is very simple.
03:21I mean, I think it would probably take somebody less than five minutes to go into their account, go to the settings, click delete my data.
03:28And for the company, it's an automated process.
03:31Mr. Selsovich, you said you're very confident that American data will not wind up in the hands of a bad actor.
03:38Did you say that a few minutes ago?
03:40I did, Congressman.
03:41How can you make that claim when 7 million users have already had their information stolen?
03:45Congressman, you know, the cyber incident at 23 was very regrettable, and we've apologized for that to our customers.
03:55The data that was actually released in that cybersecurity incident was, you know, mostly DNA relative data.
04:04And while it is customer data that was revealed, we believe we've since, you know, enhanced the security at 23andMe,
04:14where we always maintain that it's a top priority for the company.
04:17And then second is through the sale process, we're ensuring that the sale of the company will not go to any company that is a foreign adversary to the U.S.
04:26Ms. Wojcicki, did I say that right?
04:32Wojcicki.
04:32Wojcicki, sorry.
04:33You said the same thing, that you were very confident that data would not wind up in the hands of a bad actor.
04:38I mean, you've been in this space for a long time.
04:40You know hacks happen every single day.
04:42You know that many nation states that are adversarial to the United States of America have very robust cybersecurity operations.
04:50How can you be confident when 7 million of your customers have already had their data stolen?
04:58Just to reiterate, I'm not part of the bankruptcy process other than the fact that I'm an active bidder.
05:03During my time at the company, we did very proactive steps.
05:07For instance, like I mentioned, keeping the genetic information separate from all the identifiable information.
05:13So we tried to create a structure where even if there was some kind of breach, that you would not be able to reconnect those and identify back to the individuals and who they were.
05:24So in the cyber incident, it was, as Mr. Selsavage was saying, a lot of it was DNA relatives' names and small amounts of information.
