As 23andMe declares bankruptcy, privacy advocates sound alarm about DNA data
Genetic testing business 23andMe filed for bankruptcy Sunday, amplifying fears from privacy advocates that the DNA records and personal information of its 15 million customers could soon be up for sale to the highest bidder.
23andMe, which was once valued at $6 billion, has been experiencing financial distress and declining profits since going public in 2021.
As part of the bankruptcy process, 23andMe will go through a restructuring and sale. An FAQ posted on the company’s website said it will “seek to find a partner who shares our commitment to customer data privacy and allows our mission of helping people access, understand and benefit from the human genome to live on.”
The FAQ also claims that the bankruptcy process itself won’t change how 23andMe stores, manages or protects personal data and that user privacy will be an “important consideration” in finding a sales partner.
“Any buyer will be required to comply with applicable law with respect to treatment of customer data,” the FAQ stated.
The company plans to continue operating and taking new orders for DNA tests during this process. Customers who purchased a test kit before March 23 will have 30 days to request a refund, while anyone who purchases a kit after that will have 24 hours.
Anne Wojcicki announced Monday that she had stepped down as CEO after her initial bid to purchase the company and its assets was rejected. Wojcicki said she was doing so to “be in the best position to pursue the company as an independent bidder.”
In her comments, Wojcicki did not explicitly detail how 23andMe would use customer data under her ownership, but endorsed the general concept that users should have “choice and transparency” over their personal data and claimed she “will continue to tirelessly advocate” for that to continue.
According to court documents, the deadline for receiving outside bids for the company is May 7, while an auction, if necessary, will take place May 14. An initial outreach effort by consultant firm Moelis & Company identified preliminary interest from numerous potential bidders and received several proposals that “reflect strong prospects for a robust, in-court sale process and competitive auction.”
While 23andMe has publicly pledged it will search for a buyer with a commitment to data privacy, the court documents specify that the company will “consider all viable options” when selling individual assets and stressed that “any delay in the sale timeline would hinder” its efforts to maximize value in a sale.
Peter Berk, a senior attorney in the cybersecurity, data privacy and protection group at law firm Clark Hill, told CyberScoop that while 23andMe likely has other assets, their database of genetic data is “clearly” the most attractive one for buyers. That may pressure 23andMe to relax restrictions on how potential buyers can use that data, especially if strict limits could affect the sales price.
Large databases of genetic data are heavily targeted by cybercriminals and nation-state hackers, and as 23andMe looks to sell them as distressed assets, both they and potential buyers could also find themselves in the crosshairs.
“If I know about the sale, that becomes a target, so as a cybercriminal I might target the seller or the buyer in the transaction to try to get into the communications, or figure out how I can intercept the transmission of that exchange,” Berk said.
Although data breaches and the sale of personal information are common, cybersecurity and privacy advocates are particularly concerned about 23andMe. Unlike other personal data such as passwords or phone numbers, biometric data like DNA is permanent and cannot be changed.
As data privacy expert Justin Sherman put it in 2023 when scoping out the potential impact of 23andMe’s data breach, the public has only a limited understanding of how current and future technologies will be able to exploit genetic and biometric data. It’s unlikely that many of the people posting their photos on social media in 2005 were aware they were developing training material for future facial recognition systems or providing seed material for nonconsensual deepfakes.
“It’s hard to forecast how the damage of genetic data breaches will unfold years down the line. The potential for genetic data exploitation is only likely to increase,” Sherman wrote.
In 2023, the Federal Trade Commission highlighted how such biometric data can be used to facilitate identity theft, create deepfakes or link individuals and their data to a host of other digital services across the public and private sector.
Last year, residents in Illinois filed a class-action lawsuit against Verogen, which provides DNA comparison and matching services using testing kits from third-party companies like 23AndMe. They allege that Verogen, through an “undisclosed written agreement” with Meta, placed tracking pixels on its website that linked users of the service to their Facebook profiles. This data, disclosing not only that individuals may have utilized DNA testing services but also explicitly connecting them to the data-rich Facebook profiles, was then sold to marketers, the plaintiffs claim.
Meanwhile, another testing company, Ancestry.com, was sold to private equity firm Blackstone in 2020. Blackstone has since claimed it will not seek to access user DNA data for other business purposes, and a lawsuit filed by former customers alleging the sale would put their genetic data at risk of exposure and abuse was dismissed by an Illinois judge in 2023.
In addition to misuse, such data can often be exposed through data breaches, and 23andMe and other DNA testing companies like Vitagene and Veritas have all had their customers’ data exposed through breaches since 2019.
California Attorney General Rob Bonta issued a March 21 consumer alert about 23andMe’s impending bankruptcy, advising users that under state law they have the right to delete their genetic data, destroy their test saliva samples and revoke permissions for their data to be used in generic research.
