23andMe, a once popular and thriving genetic testing company, is now facing bankruptcy. The company’s purpose to promote the human genome through accessibility, understanding, and benefit was satisfied by a simple process: through a spit sample, detailed ancestral trees, health risks, and DNA reports were revealed to a consumer. The company’s results helped consumers connect with long-lost relatives, support informed medical decisions, and uncover life-changing ancestral data. Yet, 23andMe is now up for sale, and all the genetic data accumulated by the company is at risk.
Trust is fundamental for stability in any company that handles important data— a corporation without trust rarely survives on its own.
“Companies have gone out of business completely…because of that loss of trust,” said Randy Jackson, Westminster’s IT services engineer.
As for 23andMe, the company’s downfall began due to a major data breach that occurred in early 2023. A hacker gained access to almost half of all users’ individual genetic data through credential stuffing, an automated process of plugging in stolen passwords from other websites and accounts. The company failed to fully take responsibility for the breach, however, and instead shifted the blame toward users’ carelessness. The data breach generated fear and distrust amongst previous customers, and more importantly, potential future customers. Two years later, the company’s data is once again at risk, with the safety of data transactions in the hands of a potential buyer.
In response to the concern regarding user data privacy, the company stated, “any buyer of 23andMe will be required to agree to comply with our privacy policy and with all applicable law with respect to the treatment of customer data.”
As 23andMe is a private, direct-to-customer company, however, many important laws don’t apply to it, such as The Health Insurance Portability and Accountability Act, which protects the confidentiality of healthcare information. Its privacy policy explains that data samples will be destroyed at the customer’s request, but any data, once exposed to the internet, can never be completely deleted.
“Once it’s out there, it’s out there,” said Jackson. “You can try to delete stuff, but if someone has downloaded it, you aren’t able to [access] that.”
DNA holds all the genetic instructions of an organism, shaping an individual’s biological identity. Unlike credit card information, genetic information forever defines us— it cannot be deleted or changed.
Genetic testing companies like 23andMe have become increasingly appealing to the general population due to the unique assessments they offer. There aren’t other methods nearly as accessible, efficient, and detailed that could produce the same ancestral and biological data that DNA testing does. Curiosity is a driving force in genetic testing, but it also has potentially negative consequences.
“You don’t know what you’re looking for, [but]… once you learn genetic information about yourself, you can’t un-know it,” said Upper School science teacher and geneticist Kelly Tracy.
Customers are often unaware of the potential dangers related to sharing their genetic data with companies. Once an individual’s DNA is released to the internet, its path is unpredictable. In a technologically advancing society, the possibilities of genetic information being used negatively are numerous. Hackers may use ancestral trees to initiate personal threats and endanger them for monetary gain, or sell profiles to targeted buyers. When released into the network, banks and financial companies can assess personal health hazards, such as the possibility of developing Alzheimer’s, and deny loans because of the riskiness of the customer’s inability to pay off the loan. Discrimination and ethnically targeted attacks could also stem from leaked DNA, which seemed to be the motive of Golem, 23andMe’s hacker.
“Golem boasted about having access to the accounts of people of Ashkenazi Jewish heritage who had sent their DNA to 23andMe, and offered to sell it to whoever was prepared to pay,” said BBC News.
Some experts argue that genetic data leakages aren’t as severe as they are thought to be. Drawing attention through seemingly racially motivated acts is a method hackers use to gain more profit.
“It’s common to try to package and market your data to try to get other criminals to buy it, to make it seem valuable and appealing,” said Lily Hay Newman, a hacking-focused writer.
Realistically, genetic data can’t determine crucial information such as a person’s appearance or where they live. Most fear stems from the discomfort of the idea of hackers possessing uniquely personal information, rather than the hazards and outcomes of it.
“Technology isn’t as far along as you might think, ” said Tracy, “There’s always the concern of the unknown.”
The future holds uncertainties about technology, which raises valid questions and fears about any form of collected information in general.
“I’m more scared that genetic profiling is going to be completely normalized,” said Leah Jacob, a junior that is part of the Science Olympiad. “Hopefully, regulations err toward the side of digital personal protection in the future.”
Ultimately, the outcome of 23andMe’s customer data relies on the implemented safety measures in the process between the company and the buyer. Experts urge precautions when sharing data as personal as DNA, especially in an advancing era where the capabilities of technology are unknown.
Edited by Samanyu Ganesh
