Concerns are growing among 23andMe customers as the company faces financial instability and resignations of its board of directors following a major data breach last year. Users are questioning the fate of their genetic data, and privacy experts are warning about the lack of robust federal protections around such sensitive information.
The company has faced several issues in recent years, significantly impacting its public trust. In October 2023, 23andMe experienced a major data breach involving around 14,000 users whose accounts were directly compromised through credential stuffing — a method where leaked credentials from other breaches were used to access their 23andMe accounts.
This incident led to the exposure of an additional 6.9 million user profiles through features like DNA Relatives and Family Tree, which connect users based on shared genetic data. In response to the breach, 23andMe implemented security measures, such as mandatory password resets and introducing two-factor authentication (2FA). However, it took until November 2023 for 2FA to become compulsory for all users, leaving a period where many accounts were vulnerable.
RestorePrivacy
23andMe, the popular direct-to-consumer genetic testing service, has amassed genetic information from over 15 million customers since its founding in 2006. While many customers who took the test for ancestry insights were initially content with the results, recent data breaches and the company's uncertain financial future have raised serious concerns. The biotech firm, which once boasted a $6 billion valuation, has seen its shares plummet to nearly zero, sparking questions about its longevity and plans for handling user data.
The company previously iterated that it is committed to transparency and user choice when it comes to data management. However, recent incidents, including the 2023 breach, have led privacy advocates and legal experts to call for clearer guidelines on the company's handling of genetic data. With 80% of 23andMe customers opting in for their data to be used in medical research, concerns have arisen about potential misuse or sale of the information, particularly if the company is forced to restructure or sell assets.
Privacy risks and legal protections
A significant issue lies in the limited legal protections over genetic data. Unlike traditional healthcare data, which is safeguarded by laws like HIPAA, genetic data from companies like 23andMe lacks comprehensive federal protection. Although some states like California and Florida provide certain consumer rights over genetic data, the protections are patchy at best, making it difficult for users to ensure their data is securely managed.
Even if 23andMe's data is anonymized before sharing with partners, like pharmaceutical giant GlaxoSmithKline (GSK), the anonymization makes it nearly impossible for customers to retract their data later. Privacy advocates point out the danger in relying on company terms of service for privacy protection, highlighting how such data could potentially be accessed by law enforcement, as seen in cases involving genealogy websites.
Corporate instability and path forward
Last month, all independent directors of 23andMe's board resigned, citing irreconcilable differences with CEO Anne Wojcicki regarding the strategic direction of the company. The directors criticized the lack of a concrete plan to navigate the company's future, adding further uncertainty to its stability. Wojcicki had previously proposed taking the company private but later retracted the idea.
CyberInsider has contacted 23andMe with questions on the situation and what assurances it can provide to customers regarding their genetic data safety, and company CEO Anne Wojcicki provided a statement reaffirming its commitment to customer privacy while making clear her plans to take the company private.
Wojcicki, who holds 49% of the company's voting stock, stated that she remains committed to completing a take-private acquisition of 23andMe, which she believes is the best way forward for the struggling biotech firm. Importantly, she emphasized her commitment to maintaining the company's existing privacy policy even after the acquisition. Wojcicki's new filing with the SEC also indicates that she is no longer open to considering third-party takeover proposals.
She reiterated that the privacy policy, which includes provisions for customers to delete their data at any time, will remain in force “for the foreseeable future.” Under the current policy, users can request account deletion through an automated process that begins immediately once confirmed.
Wojcicki's statement to CyberInsider provides some reassurance to users concerned about the future use of their genetic information. However, as the company navigates a period of uncertainty, it remains to be seen how these plans will unfold and what the impact on customer data may be.
What should 23andMe customers do?
Amid growing concerns, some industry experts and privacy advocates are advising users to take proactive steps in managing their genetic data. Signal. President Meredith Whittaker advised users to consider closing their accounts with 23andMe and opting for deletion of their data through the company's automated account closure process. Whittaker emphasizes that while closing an account does not fully eliminate privacy risks, it can limit exposure in the future.
23andMe's account deletion process is straightforward and can be initiated directly through account settings. Once confirmed, users lose access to their data, and any genetic samples stored by the company are discarded. However, some data may still be retained as required by law or for specific business purposes.
Sharing DNA data with private companies poses significant privacy risks, as genetic information is not only deeply personal but also immutable and unique to each individual. Unlike a password or credit card number, your genetic data cannot be changed if compromised.
Without robust legal protections and clear regulations on how these companies use, share, or sell this data, there's potential for misuse — from commercial exploitation to potential access by law enforcement without consent.
Ultimately, and as proven in the case with 23andMe, data breaches are a persistent risk, leaving individuals and their families vulnerable to privacy violations for years to come.
Microsoft and the U.S. Disrupt Russian Cyber Espionage Infrastructure
Leave a Reply