Possible Release of PII and DNA – Not Good - X-Industry

One of the world’s largest genetic testing companies, 23andME, just filed for bankruptcy over the weekend. Now millions of DNA samples and private information could end up in the hands of another company. Genetic testing companies allow customers to send in a saliva sample and learn about ancestry as well as potential health issues. “I think there are benefits here and there but I think if someone’s collecting a lot of your DNA and storing that data it’s like who else has access,” said one Denver resident.[1]

The 23andMe genetic testing company enjoyed success after being founded in 2006 but ran into trouble after a 2023 data breach, layoffs and internal management issues. 23andMe’s data bank has genetic information belonging to more than 15 million customers.

The potential exposure of genetic information raises concerns about privacy and misuse of sensitive data. Genetic information is unique and personal, revealing intricate details about an individual’s ancestry, health predispositions, and biological relationships. The mishandling of such data, especially by profit-driven entities, could lead to severe consequences, including genetic discrimination and exploitation. It is crucial that stringent measures are in place to protect this invaluable information from falling into the wrong hands.

Metropolitan State University cyber security expert Dr. Steve Beaty told FOX31 that DNA is one of the world’s most valuable commodities. “Let’s say an insurance company buys all of the DNA data from 23andMe, now I can profile you,” said Beaty. Beaty said users should consider that DNA samples provide information about other family members as well. “Half my DNA is from my dad, half my DNA is from my mom, and now all of the sudden they have half their DNA,” he said.

After filing for Chapter 11 bankruptcy 23andMe provided a statement on 23 March saying, “any buyer will be required to comply with applicable law with respect to treatment of customer data.” The statement also says, “The company intends to continue operating its business in the ordinary course throughout the sale process. There are no changes to the way the company stores, manages, or protects customer data.”

So far, California’s Attorney General is warning users to delete their genetic information right away. To delete your account and prevent future use of your DNA samples for research visit the 23andME website, log in, go to settings and click on 23andMe data. Instructions can be found on the company’s website.

On 23 March, media found the 23andME website was not operational featuring a message that said the site was temporarily down for an update, but the mobile website was still accessible. 23andMe states that when customers delete their data, limited information is maintained including your decision to delete your DNA from the system. Do you believe this?

23andMe, a genetic testing company founded in 2006, recently filed for bankruptcy due to issues stemming from a 2023 data breach, layoffs, and internal management problems. The company's data bank contains genetic information for over 15 million customers. Experts warn that DNA is highly valuable and could be misused if acquired by entities such as insurance companies. Despite reassurances from 23andMe about data protection, California's Attorney General has advised users to delete their genetic information immediately to prevent misuse. The company encountered further issues when their website was found to be temporarily down on 23 March, though their mobile site remained functional.

What can you do to protect yourself – TechCrunch offers some remedication steps to delete your data from 23andMe. First you need to log in to your account, then navigate to the Settings section of your profile. Scroll down to the selection labeled 23andMe Data. From there, click the View option and then scroll to the Delete Data section. Next, select the Permanently Delete Data button. You will then receive an email from 23andMe with a link that will allow you to confirm your deletion request. You can choose to download a copy of your data before deleting it.[2]

There is an important point to make here, as 23andMe’s privacy policy states that the company and its labs “will retain your Genetic Information, date of birth, and sex as required for compliance with applicable legal obligations.” The policy continues: “23andMe will also retain limited information related to your account and data deletion request, including but not limited to, your email address, account deletion request identifier, communications related to inquiries or complaints and legal agreements for a limited period of time as required by law, contractual obligations, and/or as necessary for the establishment, exercise or defense of legal claims and for audit and compliance purposes.” *** This essentially means that 23andMe may keep some of your information for an unspecified amount of time. ***

How to destroy your 23andMe test sample and revoke permission for your data to be used for research. If you previously opted to have your saliva sample and DNA stored by 23andMe, you change this setting. You can revoke your permission by going into your 23andMe account settings page and then navigating to Preferences. In addition, if you previously agreed to 23andMe and third-party researchers using your genetic data and sample for research, you can withdraw consent from the Research and Product Consents section in your account settings. While you can reverse that consent, there’s no way for you to delete that information, which is a bit disturbing.

Check in with your family members - Once you have requested the deletion of your data, it’s important to check in with your family members and encourage them to do the same because it’s not just their DNA that’s at risk of sale, it also affects people they are related to. Finally, it’s worth checking in with your friends to ensure that all of your loved ones are taking steps to protect their data.

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings: