IT Brief US - Technology news for CIOs & IT decision-makers
United States
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Data Protection
#
Data Privacy
#
Cybersecurity

Concerns over genetic data security as 23andMe bankrupts

Yesterday
Author image
By Melania Watson, Interview Editor

Following the bankruptcy filing by 23andMe, cybersecurity professionals have expressed concern over the future handling of the company's vast repository of genetic and personal health data.

Ensar Seker, Chief Information Security Officer at SOCRadar, highlighted the unique nature of the data at risk: "With 23andMe facing bankruptcy, there are serious concerns about what happens to millions of users' genetic and personal health information (PHI)."

"This isn't just a typical data set; it includes deeply sensitive, immutable biological data that can be tied to individuals and their families for generations. Unlike a password or credit card number, you can't change your DNA."

Seker warned of potential issues that could arise during bankruptcy proceedings: "The most immediate risk is that this highly valuable dataset could be sold during bankruptcy proceedings, either to repay creditors or as part of asset acquisition."

"While regulations such as HIPAA and data use agreements exist, bankruptcy can complicate consent, data retention, and transfer policies, especially if the company is acquired by a foreign entity or a data broker."

He also pointed out security concerns: "From a security perspective, if proper safeguards and access controls aren't maintained during this uncertain period, there's a high risk that this data could be exfiltrated, sold on the dark web, or used in nation-state-level surveillance and profiling operations."

"It could even be leveraged in advanced identity fraud, blackmail, or discriminatory practices, especially if combined with breached data from other sources."

Seker emphasised the potential strategic interests in the data: "Additionally, given the military, political, and economic interest some governments have in genomic data, there's also a strategic threat vector here. DNA data can reveal not just ancestry but predispositions to diseases, behavioral traits, and vulnerabilities, information that could be abused in both commercial and geopolitical contexts."

Seker summed up the gravity of the situation: "The bottom line is that 23andMe's bankruptcy shouldn't just be seen as a business failure."

"It's a data stewardship crisis. Regulators, privacy watchdogs, and even national security agencies should step in to ensure that this dataset doesn't fall into the wrong hands. Transparency, oversight, and ethical responsibility are now more important than ever."

Commenting on the immediate actions users can take, Chris Hauk, Consumer Privacy Champion at Pixel Privacy, mentioned: "23andMe is based in South San Francisco, California, so the company's data is subject to the stricter privacy protections enforced in California."

"The bankruptcy is Chapter 11, meaning the company will likely continue operating until a new buyer is found. This means 23andme customers do still have time to request that the company delete all of their data, including their genetic data. I strongly recommend that affected customers make a deletion request as soon as possible, to ensure that your data is not sold."

Paul Bischoff, Consumer Privacy Advocate at Comparitech, noted the potential changes in privacy policies: "The privacy policy that 23andMe customers agreed to may no longer apply if another company acquires it or its assets. Furthermore, genetic data is not considered medical info in the USA, and 23andMe is not considered a healthcare provider, so it's not subject to HIPAA protections."

"Whoever acquires 23andMe will be free to change the privacy policy. I recommend deleting your 23andMe account immediately and requesting your personal data be deleted. Given the company's data breach and compliance with law enforcement, this should be a no-brainer for privacy."

Brian Higgins, Security Specialist at Comparitech, provided insights on regulatory differences: "It really depends on where the company is registered. In the case of a UK bankruptcy, according to the Insolvency Service, "The official receiver will become the data controller for personal data held by the bankrupt."

"This at least gives some confidence to those customers affected by the failure of the company as regulations regarding storage, security and access ought to be maintained."

He added: "If 23andme were incorporated/registered elsewhere then it would be worth checking the data protection regulations of the jurisdiction concerned as there are some major differences in provision across the globe."

Martin Jartelius, CISO at Outpost24, cautioned about future uncertainties: "When any organization goes under, it will be harder to maintain privacy and control of information. We do not know who will pick it up, we do not know if sunsetting will be needed and we do not know how said sunsetting would work. The cyber element of personal data is generally related to credibility, such as the ability to refer to a relationship or bond to instigate an action of others, or simply the use of information related to the platform for the purposes of fraud or extortion - none of those are immediate and none are disastrous."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
How automation can reduce human error, improve team morale and reduce security risks
Fastly updates bot management to reduce CAPTCHA reliance
AI & data breaches drive rise in sextortion scams
NVIDIA GTC: Realize the promise of AI agents as a workforce multiplier in cybersecurity
Sysdig reveals cloud security trends in new 2025 report
Top stories
23andMe bankruptcy raises concerns for genetic data safety
HCLTech & Western Union reveal transformative partnership
Contact centres face challenges with AI in customer care
Charter Global appoints Rajesh Indurthi as CTO
Apple announces free online WWDC 2025 for developers