Experts Comment: 23andMe Bankruptcy – How To Protect Your Data

Last Sunday, DNA test kit company 23andMe announced bankruptcy.

23andMe uses DNA samples, usually in saliva, to help people track their ancestry and give them deeper insights into their genetic health.

This news caused instant concern amongst its 14 million users, as the company currently stores a lot of very personal, genetic data.

This data not only includes information about ancestry, but also health risks and genetic makeup too. Many have questioned who could gain access to this information and, crucially, what they might be able to use it for.

So, if you’ve used 23andMe before, you might be wondering: What happens to my data now? and how can I protect myself?

To find out, we asked the experts.

But first:

 

How To Delete Your 23andMe Data

 

According to Vonny Gamot, Head of EMEA at McAfee, here’s what you should do:

To Delete Your Account and Genetic Data: 

1. Log in to your 23andMe account.
2. Go to Settings.
3. Scroll down to 23andMe Data and click View.
4. (Optional) Download your data if you want to keep a copy.
5. Scroll to the Delete Data section.
6. Click Permanently Delete Data.
7. Confirm via the email link you’ll receive.

 

To Destroy Your Saliva Sample: 

1. Go to Settings.
2. Navigate to Preferences.
3. Select the option to destroy your stored biological sample.

 

To Revoke Research Consent: 

1. Go to Settings.
2. Navigate to Research and Product Consents.
3. Withdraw your consent for data sharing.

Want to hear what the experts think? Look no further…

 

Our Experts

 

• Ross Brewer, UK and EMEA Managing Director, Graylog
• Siân John, CTO at NCC Group
• Bharat Mistry, Field CTO at Trend Micro
• Vonny Gamot, Head of EMEA at McAfee
• Matt Aldridge, Principal Solutions Consultant at OpenText Cybersecurity
• Darren Guccione, CEO and Co-Founder at Keeper Security
• Tilo Weigandt, COO and Co-Founder at Vaultree
• Sarah Pearce, Partner at Hunton

 

For any questions, comments or features, please contact us directly.

 

 

Ross Brewer, UK and EMEA Managing Director, Graylog

 

 

“The main thing 23andMe users can do is monitor their identity closely. Since a large amount of user data was already compromised and likely sold on the dark web, it’s hard to now retrieve or delete it. However, individuals can pay for monitoring services that alert them to suspicious activity, such as attempts to take out loans or perform credit checks in their name.

“Most breaches like this lead to the affected company offering free identity monitoring – while not 100% effective, it’s worth taking advantage of – this of course will only apply if the company is now purchased.

“Perhaps most importantly, people should also adopt a zero-trust model – assume that any unexpected request for information or money, even from someone appearing to be a family member or friend, could be a scam. Scammers often use emotionally charged stories to manipulate victims, so verifying any such request directly with the person involved is essential. Educating friends and family about potential scams is also crucial to reducing further harm.”

 

Siân John, CTO at Global Cyber Security Company NCC Group 

 

  

“As 23andMe intends to continue operating its business with normal processes, there will be no changes to its management and protection of customer data. If another company acquires 23andMe, then it could have access to users’ data. But it will have to stick to the rules set out in the privacy policy, or ask for permission when this changes. 

“For customers, this is a good opportunity to pose the question to yourself: what companies have I shared my personal data with?

“Whilst it can be interesting to find out information about yourself, it’s important to consider how the data you share will be treated – especially extremely personal information such as DNA data. Privacy policies will declare if your data will be destroyed after a certain amount of time, which is why it’s so important to read these.”

“The UK’s General Data Protection Regulation (GDPR) requires that companies ask permission to use customers’ personal data. It also requires these companies to protect UK citizen’s data, regardless of where the data is stored.

“A section of GDPR, known as the Right to Erasure, allows customers to request that companies remove their personal data. Administrators of an acquiring company should be responsible for upholding this.”

 

Bharat Mistry, Field CTO at Trend Micro

 

 

“23andMe’s bankruptcy poses risks to its 15 million users as their genetic data could be considered an asset in liquidation or potentially sold to less privacy-focused entities. The idea that your most sensitive genetic information could be auctioned off as a company asset is utterly terrifying. GDPR applies to the processing of personal data of individuals who are in the European Union, where the processing activities are related to the offering of goods or services to individuals in the Union. Such individuals can exercise their right to access, objection, correction and deletion (or erasure) when it comes to their personal data. Frankly, anyone who hasn’t already sought for 23andMe to delete their data is playing a dangerous game.

“Delete 23andMe data, then prioritise privacy. Limiting data sharing, strengthening security, reviewing policies, reviewing app permissions and using VPNs are all best practices. Individuals can minimise social media use, back up data and support privacy laws. Treating all shared data as potentially compromised is a good ‘rule of thumb’ when considering online privacy and what we are/aren’t comfortable sharing online.”

 

For any questions, comments or features, please contact us directly.

 

Vonny Gamot, Head of EMEA at McAfee

 

 

“23andMe, once a pioneer in at-home genetic testing, has fallen into financial distress after a series of challenges, including a massive data breach in 2023 that exposed the personal information of nearly 7 million users. Now, as 23andMe prepares to sell off its assets under court supervision, its massive database of customer DNA – reportedly from more than 15 million users – is on the table. 

“Your DNA isn’t the only personal data at risk. From email addresses and home addresses to phone numbers and even shopping habits, data brokers are collecting and selling your information online – often without your knowledge or consent. That’s why it’s critical to take control of your digital footprint. There are tools available that can scan for accounts that you no longer use, helping you to delete them, along with your personal info. Others can even scan data broker sites and request the removal of your data for you.”

 

Matt Aldridge, Principal Solutions Consultant at OpenText Cybersecurity

 

 

“What does it mean for the site’s 15 million users? What are the risks to their data?

“At this stage, I don’t think there is a need to panic.  It is likely that the company will be acquired, possibly even by its founder, and failing that the public scrutiny and regulatory compliance issues faced by any other potential purchaser is likely to ensure that strong steps are taken to preserve user privacy.  It would be more concerning if only the assets are acquired and the company is liquidated, this might leave the data more exposed to exploitation, as existing privacy agreements may no longer be valid under such circumstances.

“What can people do? Is there an easy way to delete your data?

“If, you have data stored within the platform which might expose you or cause you challenges should it get into the wrong hands, the best recourse is to delete your account and communicate separately with the company to ensure that all of your data and samples are properly destroyed.

“What else can you do to protect your privacy as a result, and more generally?

“Firstly, think very carefully about the risks of providing sensitive personal data, and particularly genetic or biomarker data to any company. 

“In general, if you choose to submit genetic data to a company, ensure that they are reputable and that they are fully compliant with the data protection regulations, both in your country and in theirs, and provide the bare minimum of personal information with your submission.

“For companies implementing such services, leading information management companies are able to provide data protection solutions which can provide privacy assurances, by doing things like tokenisation and anonymisation of data.  To the largest extent, the identities of individual customers should be completely isolated from the samples they provide and from the analysis of such samples, with the ability for essential associations to be made being very tightly controlled through robust processes.  Attention must be paid to the full data lifecycle, being very mindful of how and when it is appropriate to destroy sensitive data and materials.”

 

Darren Guccione, CEO and Co-Founder at Keeper Security

 

 

“The protection of genetic data requires more than just encryption – it demands strict privacy, access controls and robust identity security. Organisations handling this type of incredibly sensitive data must implement a zero-trust approach with stringent internal controls, ensuring that access is tightly restricted to only those who absolutely need it. Privileged access management is essential to minimising risk, preventing unauthorised access and limiting the potential damage of a breach. Companies should enforce strong authentication requirements, regularly audit access logs and restrict third-party integrations that could introduce vulnerabilities.

“Organisations storing any personally identifiable information, including attributes of users’ DNA, should meet recognised security certifications such as SOC 2 Type 1 and Type 2 and ISO 27001, 27017 and 27018. These certifications demonstrate that the company has established robust controls covering confidentiality, security, privacy, risk management practices and internal audits to safeguard sensitive data, processes and infrastructure. Regular monitoring and periodic audits are key to ensuring continued compliance. Organisations can implement automated tools and conduct periodic assessments to ensure suppliers are adhering to required standards and regulations. By maintaining recognised security certifications, organisations are upholding high standards of security and compliance, including adherence to international regulations.

“Consumers also need to be empowered with greater control over their data, including clear pathways for deletion and visibility into how their information is used. Due to uncertainty over the future of the business, and the data it holds, 23andMe customers should consider contacting the company to have their genetic information deleted.

“As an industry, we must push for stronger security and accountability to ensure all genetic data remains protected, regardless of corporate transitions or ownership changes.”

 

For any questions, comments or features, please contact us directly.

 

Tilo Weigandt, COO and Co-Founder at Vaultree

 

 

“Regardless of 23andMe’s financial status or any acquisition, UK-based users retain their right to access, rectify, or erase their data, be informed about any new controller or use, and object to data processing. Any new data controller is required by GDPR to uphold these rights. If violated, UK customers can complain to the ICO (Information Commissioner’s Office), which can issue fines and enforce compliance. 

“However, GDPR enforcement is not always immediate. There may be communication delays about what’s happening to the data, or some data may have already been shared with third-party research or marketing partners. 

“Customers should: 

• Review the privacy policy and past consents they gave to 23andMe. 

• Exercise their right to data erasure if they no longer wish for their data to be retained or transferred. 

• Monitor the ICO for any future communications regarding the sale or restructuring of 23andMe. 

 “This case underscores why technical guarantees of data privacy are needed in addition to legal ones. We should all advocate for and provide solutions like data-in-use encryption, which ensures that even in situations like acquisitions or bankruptcies, data cannot be accessed or exploited without the user’s consent — because it remains encrypted and inaccessible by anyone else, by design.  “

 

Sarah Pearce, Partner at Hunton

 

 

“Data protection laws will continue to apply to the personal data collected by 23andMe and sensitive data is subject to increased protections. This data is a significant “asset” that will be taken into account by potential buyers now the company is up for sale. The value of this asset will of course depend on the level of confidence existing customers have in the future owner.

“The sale process won’t impact the personal data itself. Any buyer will be required to comply with data protection laws in respect of such data. If individuals have concerns about the future owner’s approach to privacy and data protection, this may lead to a significant wave of deletion requests.

“Customers were informed about the possibility that their data may be accessed, sold or transferred to another company in the event of a bankruptcy, merger, acquisition, reorganisation, or sale of assets, through 23andMe’s privacy statement. 23andMe made the commitment that, in such case, the privacy statement would continue to apply. Given the sensitivity of the data and the publicity around the matter, data protection authorities around the globe will likely keep a close eye on the future owner’s data processing practices to ensure that this commitment is respected.”

 

For any questions, comments or features, please contact us directly.