23andMe's recent filing for Chapter 11 bankruptcy protection has sent shockwaves through the security community, highlighting pressing concerns about the stewardship of sensitive genetic data. On March 25, 2025, New York Attorney General Letitia James urged customers to secure their data as rising privacy concerns emerge in the wake of the company’s financial instability.
Following a notable decline in demand for its DNA testing services, 23andMe, a company that has collected genetic information on over 15 million customers, filed for bankruptcy. The stock's value plummeted 11% on the day of the announcement, closing at just 65 cents, which came after an astonishing 59% drop the previous Monday. The situation has led many concerned users to delete their accounts, taking to social media to seek and share advice on this cumbersome process due to malfunctions on the company’s website.
“Genetic data isn't just a bit of personal information — it is a blueprint of your entire biological profile,” warned Adrianus Warmenhoven, a cybersecurity expert with NordVPN. He pointed out that when a company like 23andMe goes under, this personal data can be at risk of being sold off with potentially far-reaching consequences.
The concerns surrounding 23andMe's management of customer data were echoed by California Attorney General Rob Bonta, who also urged users to delete their genetic data due to the company's financial distress. The attorney general's message was clear: as control of such sensitive information shifts with bankruptcy, users must take measures to protect themselves.
Over the years, 23andMe has made at least 30 agreements with companies, including British drugmaker GSK, allowing them access to its vast database. However, the nature of these deals and their implications for user privacy remain largely undisclosed. In response to previous concerns about data security, the company had proposed a $30 million settlement to address accusations of mishandling the personal information of 6.9 million customers after a significant data breach in 2023. This settlement, however, was not fully approved, raising further doubts about the company’s accountability.
The recent Chapter 11 filing has opened up a broader dialogue on the security of genetic data. Cybersecurity experts have expressed alarm over what happens to millions of DNA profiles when a data-centric company collapses. Aditya Sood, vice president of security engineering and AI strategy at Aryaka, noted, “The fate of millions of DNA profiles hangs in the balance, raising urgent concerns about who may ultimately gain access to this deeply personal information.” More alarmingly, stolen genetic data could lead to a myriad of criminal activities, including identity theft and extortion.
Gabrielle Hempel, a security operations strategist at Exabeam, shared her concerns about the inherent challenge of anonymizing genetic data. “When a company like 23andMe enters bankruptcy proceedings, it’s not just assets and liabilities being handed over, it’s millions of irreplaceable, irrevocable data sets.” She emphasized that even separate identifiable information (PII) cannot fully protect individuals since genetic data is linked directly to identities and their families.
The case of 23andMe raises difficult questions about ownership and control of genetic data. Gal Ringel, CEO at Mine, explained how consumer trust is fragile when companies fail. He raised critical issues: “Who owns this data? Who controls it during an acquisition? Can it be sold?” These questions, he notes, are fundamental to any business that deals with sensitive data.
As the debate continues, Darren Guccione, the co-founder and CEO at Keeper Security, stressed the necessity of robust data security measures for companies in the sector. He highlighted that companies must implement stringent access controls and a zero-trust framework to protect genetic data from unauthorized access and potential breaches. “Privileged access management is essential to minimizing risk, preventing unauthorized access, and limiting potential damage from a breach,” he stated.
This failure of oversight at 23andMe serves as a reminder that the handling of sensitive information must come with serious responsibilities. The repercussions of mishandling such data are not merely about finance but also about trust, privacy, and the potential risks to individual security.
Lawmakers and regulatory bodies may need to step in to establish clearer guidelines for the governance of genetic data, ensuring that individuals’ genetic profiles remain safe from exploitation or misuse, especially during times of corporate turmoil. As customers are encouraged to delete their genetic data, the intricacies involved in fully removing information from a database — especially one built on this level of personal information — are daunting and complex.
The recent developments surrounding 23andMe highlight an urgent need for both consumers and companies to prioritize data security in an increasingly data-dependent world. With growing privacy concerns underscored by financial instability and a history of data breaches, the dialogue over genetic data management is more crucial than ever, leaving customers questioning the future of their genetic information and their rights to protect it.
