The recent bankruptcy of 23andMe, a once-pioneering consumer genetics firm, is sending shockwaves through the cybersecurity and data privacy community. The company's voluntary Chapter 11 filing—and the surrounding fallout—highlights not just the fragility of consumer trust, but the alarming gap in data protection frameworks when a data-centric business collapses.
From DNA kits to bankruptcy court
In a press release dated March 23, 2025, 23andMe announced that it has "initiated a voluntary Chapter 11 process in the U.S. Bankruptcy Court for the Eastern District of Missouri to facilitate a value-maximizing sale process." The goal: restructure and potentially sell assets while addressing mounting operational and financial challenges, including fallout from a massive data breach in 2023 that exposed the sensitive data of nearly seven million users.
[RELATED: Millions of 23andMe Users' DNA Data Stolen in Hack]
The company reassured customers that there will be "no changes to how customer data is stored, managed, or protected during this process." Yet, that has not stemmed the growing concern among regulators and experts.
California Attorney General issues consumer alert
Just two days earlier, California Attorney General Rob Bonta issued a consumer alert urging residents to take action to protect their data from potential misuse during 23andMe's restructuring.
"Given 23andMe's reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company," Bonta said in the March 21 press release.
Under the California Consumer Privacy Act (CCPA) and the Genetic Information Privacy Act (GIPA), consumers have the right to:
Cybersecurity experts: 'this is a trust crisis'
Experts across the cybersecurity landscape are calling the 23andMe case a turning point—not just for genetic testing firms, but for any business built on sensitive user data.
"When a company that's built on personal data collapses, it forces the entire industry to confront an uncomfortable truth: user trust is fragile," said Gal Ringel, Co-Founder and CEO of MineOS. "Genetic data isn't like passwords or credit cards—you can't reset your DNA."
"The value of data outlasts the company that collected it," he added. "Consumers are now asking questions companies should have asked themselves much earlier: Who owns this data? Who controls it during an acquisition? Can it be sold? Should it be?"
Zero trust for genetic data
Darren Guccione, CEO of Keeper Security, stressed that encryption alone isn't enough, saying, "The protection of genetic data requires more than just encryption—it demands strict privacy, access controls, and robust identity security."
He recommends a zero-trust approach with:
He also emphasized the need for organizations handling DNA or personally identifiable information (PII) to comply with security certifications like SOC 2 Type 1 and 2 and ISO 27001, 27017, and 27018 to demonstrate ongoing, rigorous compliance.
The real risk: corporate collapse
For Casey Ellis, founder of Bugcrowd, this isn't just a security story—it's a structural vulnerability in the digital age.
"This is an unfortunate, yet timely reminder that no matter how well or poorly your data is protected at a technical level, it is still subject to the risk of the company going bankrupt and selling it in ways you cannot control," Ellis said. "DNA is a password the user cannot change—and once it's out, it stays out."
Legal gray areas and the need for reform
According to Piyush Pandey, CEO of Pathlock, the U.S. still lacks sufficient legal safeguards for ultra-sensitive data when companies undergo financial or legal distress.
"Until the government imposes stricter control measures and provides clear guidance on how to handle exceptional cases like this, it's unlikely we'll see any significant action from companies," Pandey warned.
He also reminded consumers that under California law, they have the right to demand deletion, and to monitor compliance based on things like continued advertising or lack of company response.
What happens now?
While 23andMe navigates bankruptcy court and searches for a buyer, millions of users are left to wonder what will happen to their genetic data. Will it be deleted? Sold? Or safeguarded as promised?
The case underscores a critical need for data lifecycle planning, enforceable data transition policies, and stronger regulatory oversight—especially for companies whose core asset is deeply personal data.
"Transparency shouldn't depend on a press release after the fact," Ringel said. "If your business is built on sensitive data, your responsibility to protect it should outlast the business itself."
Follow SecureWorld News for more stories related to data privacy and cybersecurity.
