News of the troubled DNA testing services company 23andMe filing for Chapter 11 bankruptcy protection set off a spirited debate in the security community this week as experts expressed concern over the fate of the DNA data the company collected on more than 15 million customers for the past two decades.
Security pros and privacy advocates worried how the data will be managed during the Chapter 11 proceedings. In the meantime, news organizations offered advice on how 23andMe customers could delete their data — a process that was cumbersome because the company’s website was operating slower than usual over the past few days.
"The bankruptcy filing of 23andMe raises a pressing issue about the fate of its highly sensitive genetic data, which is now at risk of being sold off or mishandled,” said Aditya Sood, vice president of security engineering and AI strategy at Aryaka. “Now, the fate of millions of DNA profiles hangs in the balance, raising urgent concerns about who may ultimately gain access to this deeply personal information.”
Sood pointed out that attackers can exploit DNA profiles for identity theft, genetic discrimination, extortion, or even tailored social-engineering attacks. Adversaries could potentially launch medical identity theft using stolen genetic data to impersonate individuals for fraudulent medical treatments or prescriptions, said Sood.
“The potential for targeted bio-threats, enabled by advances in biotechnology and gene-based medicine, is not a distant possibility, but a real and immediate danger,” said Sood. “DNA could be leveraged to access personalized medicine gene therapy or sell fake genetic test results on the black market to alter victims' medical records, resulting in misdiagnosis, incorrect treatments, or insurance fraud.”
Data stewardship risks amid 23andMe bankruptcy
Gabrielle Hempel, security operations strategist at Exabeam, said she’s always been deeply unsettled by the reality that it’s not possible to de-identify genetic data. Hempel pointed out that a person’s genome is their identity. Even when we remove all of what we consider PII, we’re still left with a blueprint that uniquely maps back to an individual — and by extension, their relatives, Hempel continued.
“That’s not something that can ever be fully anonymized, obfuscated, or tokenized away,” said Hempel. “When a company like 23andMe enters bankruptcy proceedings, it’s not just assets and liabilities being handed over, it’s millions of irreplaceable, irrevocable data sets. Genetic data, lineage, health markers. In any other vertical, this is a non-issue, but in genomics, once it’s out, it’s out forever.”
Hempel said when news of the 23andMe breach last year came out, in which user profile data was scraped via credential stuffing, it was already a reminder of the fragility of security controls in consumer genomics. However, Hempel said bankruptcy introduces a new level of concern surrounding data stewardship risk.
“When ownership shifts, so do priorities,” said Hempel. “Regulatory guardrails in the U.S. are extremely thin when it comes to secondary use, sale, or transfer of genetic data post-acquisition or during liquidation. Consumers are being advised to delete their data, but even then, what confidence do we have that full deletion is possible? This data has already been used for thousands (if not more) of derivative datasets.”
Who controls DNA data collected by 23andMe?
Gal Ringel, co-founder and CEO at Mine, added that when a company that’s built on personal data collapses, it forces the entire industry to confront an uncomfortable truth: user trust is fragile. Ringel explained that genetic data isn’t like passwords or credit cards — we can’t reset a person’s DNA.
“The 23andMe case isn’t just about bankruptcy or leadership change,” said Ringel. “It’s about what happens when the value of data outlasts the company that collected it. Consumers are now asking questions companies should have asked themselves much earlier: Who owns this data? Who controls it during an acquisition? Can it be sold? Should it be? These aren’t theoretical concerns, they’re central to any business working with personal or sensitive data. This is a wake-up call for the tech world to take data stewardship seriously, before it’s too late.”
Darren Guccione, co-founder and CEO at Keeper Security, added that the protection of genetic data requires more than just encryption: it demands strict privacy, access controls, and robust identity security. Guccione said organizations handling this type of incredibly sensitive data must implement a zero-trust approach with stringent internal controls, ensuring that access is tightly restricted to only those who absolutely need it.
“Privileged access management is essential to minimizing risk, preventing unauthorized access and limiting the potential damage of a breach,” said Guccione. “Companies should enforce strong authentication requirements, regularly audit access logs and restrict third-party integrations that could introduce vulnerabilities.”
Guccione added that organizations storing any personally identifiable information, including attributes of users’ DNA, should meet recognized security certifications such as SOC 2 Type 1 and Type 2 and ISO 27001, 27017 and 27018. These certifications demonstrate that the company has established robust controls covering confidentiality, security, privacy, risk management practices and internal audits to safeguard sensitive data, processes and infrastructure. Also: regular monitoring and periodic audits are important for ensuring continued compliance.
