A POTENTIAL sale of the once-popular biotechnology company 23andMe could lead to a genetic information leak that could put users at risk, cyber security experts have warned.
The San Francisco-based genetic testing company filed for Chapter 11 bankruptcy on Sunday following months of uncertainty about the direction of the business, resignations, and a $30 million data breach settlement.
4
4
Since the filing, attorney generals from at least six states have urged users to delete their information from 23andMe’s platform and destroy genetic testing samples because of their sensitivity.
On Wednesday, a judge had ruled that all the genetic and health information provided by people to the company are considered valuable assets for 23andMe, who is permitted to sell the data to potential bidders, according to Bloomberg.
Offering at-home DNA testing kits, 23andMe boomed in the years following its launch in 2006, reaching a peak market cap of about $6 billion.
Millions of users sent the company saliva samples for analysis to learn about their ancestry and genetic makeup.
Read more in The U.S. Sun
The genetic information allowed 23andMe and its researchers to make future discoveries, which “could lead to new commercial products or services, for example, drugs, devices, or screening tests,” the company’s website read.
But in the wake of 23andMe’s financial distress, attorney generals in California, New York, Georgia, Nevada, New Hampshire, and Maine, have urged users to protect their sensitive information at all costs.
“23andMe has indicated they will continue to honor such actions, and users should make use of this option as soon as possible,” Aaron Ford, the attorney general of Nevada, said.
Mike Cobb, the chief information security officer for Drivesavers, told The U.S. Sun that simply deleting your information from 23andMe’s website does not guarantee that users are safe.
“Unfortunately, there’s no way for people to know. What I can say is that what I feel 23andMe has done is created a mechanism to delete the data that allowed them access to to give you the information, your DNA profile, etc.,” Cobb said.
“So, there should be a mechanism which has been there for years that allows you to delete that profile.
“I think that on the surface, that should be the same that’s been going on for years.
“So, the hope, and this is where it’s all under 23andMe, the hope is that they look at all of the controls that they put in place, looking at all the risks that when a customer asks to be deleted, the servers that hold that data hopefully have been properly, number one, are on an encrypted server.”
However, in a potential sale, Cobb said it is up to 23andMe to handle its users’ genetic information with care during the transition phase.
“The dangers when a company takes over another company, there’s a lot of transactions that may happen,” Cobb told The U.S. Sun.
“A lot of personnel that may have been with 23andMe for many years, and helped keep the data secure and understand the whole environment and why it was created that way.
4
4
“They may have been the ones that worked on their risk assessments. For me, the focus needs to be what’s the risk of the information that we hold for our customers getting to another entity.
“The reality is when your company is being taken over, the assets may lose the personnel who understood all aspects of the importance of that data.”
Cobb continued, “And now you might have new IT or administrators that have access to things they don’t fully understand.
“And the data may inadvertently, due to, you know, personnel changes, be led into the wild accidentally because they don’t understand all of the aspects of all of the controls and all of the risks that, you know, led up to those controls being needed.
“To me, it’s more of the passing of the torch from one team to another that potentially can create that gap.”
Several cyber security experts have also echoed the concerns of the state officials and made remarks similar to those of Cobbs, the chief information security officer for Drivesavers.
Dr. Rahib Hasan, the head of UAB’s Center for Cybersecurity, told Fox affiliate WBRC that in a sale of the company, 23andMe could sell its assets, which would mean users’ genetic data.
“Your DNA contains a lot of information about you, your family, and everyone,” Dr. Hasan said.
“So, if a marketing company can get hold of that information, they know what health issues you may have in the future.
“So, they can use that to market data, market products to you for the rest of your life, or insurance companies and others.
“They can discriminate against you. Even employers can look up this information to figure out the health risk of their potential employees and discriminate based on that.
“So, this is much more serious risk than losing a credit card number or other information because DNA is permanent, you can’t change your DNA.”
How to delete your 23andMe data
The California Attorney General has urged 23andMe users to delete their personal information from the website. His office offered the following steps to do so:
To delete genetic data from 23andMe: Customers can delete their account and personal information by taking the following steps:
- Log into your 23andMe account on their website
- Go to the “Settings” section of your profile
- Scroll to a section labeled “23andMe Data” at the bottom of the page
- Click “View” next to “23andMe Data”
- Download your data: If you want a copy of your genetic data for personal storage, choose the option to download it to your device before proceeding
- Scroll to the “Delete Data” section
- Click “Permanently Delete Data”
- Confirm your request: You’ll receive an email from 23andMe; follow the link in the email to confirm your deletion request
To destroy Your 23andMe test sample:
If you previously opted to have your saliva sample and DNA stored by 23andMe but want to change that preference, you can do so from your account settings page, under “Preferences.”
To revoke permission for your genetic data to be used for research:
If you previously consented to 23andMe and third-party researchers to use your genetic data and sample for research, you may withdraw consent from the account settings page, under “Research and Product Consents.”
Washington Post technology columnist Geoffrey Fowler told CNN, “The truth is that your data is now up for grabs.
“It could be up for grabs in a whole bunch of different ways. First of all, you’re now relying on this company that is now bankrupt to protect your data, to keep hackers out.
“And this is a company that has had big problems with that in the past. And second of all, and the biggest one probably, is it is looking for someone to sell that data to.
“And whoever they sell it to can choose new ways to use your data.”
Mark Jensen, 23andMe’s board chair, told NBC affiliate WXIA-TV that the company is “committed to continuing to safeguard customer data” and “data privacy will be an important consideration” in any sale.
However, Craig Konnoth, a professor at the University of Virginia School of Law, said certain terms of agreements on the privacy of 23andMe users’ information can change when the company’s assets are purchased.
“The use of customer information is basically governed by whatever the provisions in the privacy and use agreements are that 23andMe contracted with the customers, Konnoth told UVA Today.
“If those provisions get broken, it’s unclear that consumers would have any recourse because the company is going bankrupt.”
Konnoth said certain states like Virginia have strong laws to protect sensitive consumer information collected and stored by companies.
“I think going online, going in and deleting the data would be a very good idea,” he added.
23ANDME’S DOWNFALL
In recent years, 23andMe struggled to generate consistent revenue as fewer home testing kits were being ordered.
People only need their DNA tested once, which is a problem 23andMe never found a way to address.
In March 2024, the company formed a special committee of seven independent directors to evaluate 23andMe’s future.
The company reported a net loss of $667 million last year compared to a $312 million net loss in 2023.
We are committed to continuing to safeguard customer data and being transparent about the management of user data going forward.
Mark Jensen, chair board member of 23andMe.
Nevertheless, all seven directors resigned last September due to differences with co-founder Anne Wojcicki and her strategic direction and voting power in the company.
Later that month, executives at 23andMe agreed to pay a $30 million settlement to customers whose data was affected by a data breach in 2023.
The breach became public in October 2023 when reports surfaced that users’ information from 23andMe had appeared on the dark web for sale.
Hackers accessed names, birth years, genders, and ancestry details, among other non-DNA information, according to court documents.
In December 2023, the company confirmed the leak, revealing that 6.9 million users’ personal data had been compromised.
Wojcicki stepped down as 23andMe’s chief executive a day after the company filed for bankruptcy.
Statements made by attorney generals about 23andMe’s bankruptcy filing
Attorney generals in six states have urged 23andMe users to delete their genetic information from the company’s website.
Rob Bonta, attorney general of California: “California has robust privacy laws that allow consumers to take control and request that a company delete their genetic data. Given 23andMe’s reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company.”
Letitia James, attorney general of New York: “New Yorkers’ genetic data is sensitive information that must be protected at all costs. 23andMe’s bankruptcy announcement is concerning and I am urging New Yorkers to take action to safeguard their data. New Yorkers can follow instructions offered by my office to delete their data or destroy any DNA samples held by 23andMe. Anyone experiencing issues deleting their information stored with 23andMe should contact my office.”
Christopher Carr, attorney general of Georgia: “23andMe collects highly personal information from consumers. In a bankruptcy proceeding, this sensitive data could be considered an asset, and as such, it could be sold or transferred to a third party.”
Aaron Ford, attorney general of Nevada: “I urge Nevadans to access their accounts on 23andMe’s website and consider deleting their shared genetic data in order to ensure their privacy. 23andMe has indicated they will continue to honor such actions, and users should make use of this option as soon as possible.”
Aaron Frey, attorney general of Maine: “DNA is arguably an individual’s most sensitive data. 23andMe has made assurances regarding their data privacy practices, but I would urge consumers to consider deleting their genetic data while the company is facing this instability. My office will be following the bankruptcy closely to ensure 23andMe honors its data privacy commitments.”
John Formella, attorney general of New Hampshire: “Despite the bankruptcy filing, both 23andMe and any potential buyer remain responsible for protecting consumer data. Additionally, consumers can proactively protect their data by deleting their genetic data, requesting the destruction of their test sample, and revoking authorization for 23andMe to share their data with third-party researchers.”
