So after posting this story this morning, I got a number of enquiries about how one can delete their 23andMe data. I did some looking around and I found that The Verge has excellent instructions on how to delete your data.
That’s the good news. Here’s the bad news. Deleting your data may not matter. Here’s why:
One of the notable issues is that this process also won’t delete all of your data — according to 23andMe’s privacy disclosure, your genetic information, date of birth, and sex will be retained for an undisclosed amount of time to comply with the company’s legal obligations, alongside “limited information related to your account,” such as your email address and communications around your data deletion request.
As I said this morning, the DNA or related genetic information is going to be super valuable to any company that wants to buy 23andMe, or what’s left of it. So It doesn’t surprise me that this verbiage exists. And it means that anyone who took a 23andMe test will have their data floating around in some form for a very long time, if not forever.
The take away from this whole episode is that perhaps you need to think twice before you use one of these services as this could be the end result.
UPDATE: Ensar Seker, CISO at SOCRadar had this comment:
“With 23andMe facing bankruptcy, there are serious concerns about what happens to millions of users’ genetic and personal health information (PHI). This isn’t just a typical data set; it includes deeply sensitive, immutable biological data that can be tied to individuals and their families for generations. Unlike a password or credit card number, you can’t change your DNA.”
“The most immediate risk is that this highly valuable dataset could be sold during bankruptcy proceedings, either to repay creditors or as part of asset acquisition. While regulations such as HIPAA and data use agreements exist, bankruptcy can complicate consent, data retention, and transfer policies, especially if the company is acquired by a foreign entity or a data broker.”
“From a security perspective, if proper safeguards and access controls aren’t maintained during this uncertain period, there’s a high risk that this data could be exfiltrated, sold on the dark web, or used in nation-state-level surveillance and profiling operations. It could even be leveraged in advanced identity fraud, blackmail, or discriminatory practices, especially if combined with breached data from other sources.”
“Additionally, given the military, political, and economic interest some governments have in genomic data, there’s also a strategic threat vector here. DNA data can reveal not just ancestry but predispositions to diseases, behavioral traits, and vulnerabilities, information that could be abused in both commercial and geopolitical contexts.”
“The bottom line is that 23andMe’s bankruptcy shouldn’t just be seen as a business failure. It’s a data stewardship crisis. Regulators, privacy watchdogs, and even national security agencies should step in to ensure that this dataset doesn’t fall into the wrong hands. Transparency, oversight, and ethical responsibility are now more important than ever.”
Chris Hauk, Consumer Privacy Champion at Pixel Privacy follows with this:
“23andMe is based in South San Francisco, California, so the company’s data is subject to the stricter privacy protections enforced in California. The bankruptcy is Chapter 11, meaning the company will likely continue operating until a new buyer is found. This means 23andme customers do still have time to request that the company delete all of their data, including their genetic data. I strongly recommend that affected customers make a deletion request as soon as possible, to ensure that your data is not sold.”
Paul Bischoff, Consumer Privacy Advocate at Comparitech adds this:
“The privacy policy that 23andMe customers agreed to may no longer apply if another company acquires it or its assets. Furthermore, genetic data is not considered medical info in the USA, and 23andMe is not considered a healthcare provider, so it’s not subject to HIPAA protections. Whoever acquires 23andMe will be free to change the privacy policy. I recommend deleting your 23andMe account immediately and requesting your personal data be deleted. Given the company’s data breach and compliance with law enforcement, this should be a no-brainer for privacy.”
Brian Higgins, Security Specialist at Comparitech offers this:
“It really depends on where the company is registered. In the case of a U.K. bankruptcy, according to the Insolvency Service, “The official receiver will become the data controller for personal data held by the bankrupt.” This at least gives some confidence to those customers affected by the failure of the company as regulations regarding storage, security and access ought to be maintained.”
“If 23andme were incorporated/registered elsewhere then it would be worth checking the data protection regulations of the jurisdiction concerned as there are some major differences in provision across the globe.”
Martin Jartelius, CISO at Outpost24 provided this:
“When any organization goes under, it will be harder to maintain privacy and control of information. We do not know who will pick it up, we do not know if sunsetting will be needed and we do not know how said sunsetting would work. The cyber element of personal data is generally related to credibility, such as the ability to refer to a relationship or bond to instigate an action of others, or simply the use of information related to the platform for the purposes of fraud or extortion – none of those are immediate and none are disastrous.”
St. Joseph’s College of Maine notifies 126K people of data breach via Clop ransomware
Posted in Commentary with tags Hacked on March 24, 2025 by itnerdSt. Joseph’s College of Maine over the weekend confirmed that it notified 126,580 people of a December 2023 data breach that compromised SSNs and other private data. Ransomware gang Clop claimed responsibility for the breach in March 2024. Something to note is that it took the school more than a year after discovering the breach to notify victims.
In a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote:
“Clop, or Cl0p, is a high-profile ransomware group that first surfaced in 2019. Its latest wave of claims mostly involve exploiting vulnerabilities in the Cleo file transfer software, which is used by many organizations. Like some other ransomware groups, Clop doesn’t always encrypt files. Instead, it demands ransoms solely in exchange for not selling or publishing stolen data.”
“Clop claimed some of the largest ransomware attacks to date, including those on Fortra (GoAnywhere) and MOVEit (Ipswitch). Those two attacks alone breached about 102 million records.”
“In 2025 so far, Clop claimed one confirmed attack on manufacturing company Uniek. The group claimed another 331 unconfirmed attacks this year that haven’t been acknowledged by the targeted organizations. Most of those claims stem from the Cleo vulnerability exploit.”
“Comparitech researchers logged 124 confirmed ransomware attacks on US schools colleges, and other educational institutions in 2023, compromising more than 3 million records. 2024 saw a dip with 72 such attacks compromising 2.5 million records. In 2025 so far, we have tracked 10 confirmed attacks on US schools. The average ransom is just under $700,000.”
“Ransomware attacks on schools and other education facilities can disrupt day-to-day operations such as taking attendance, submitting grades, phone and email communications, billing, payroll, and assignments. Ransomware attacks are often two-pronged: they lock down systems and steal data. Schools that refuse to pay can face extended downtime, lose data, and put students and faculty at increased risk of fraud.”
The fact this is coming out a year later means that victims have no hope of even attempting to protect themselves. That’s because their data is likely already out there. That’s rally bad as 126K people are guaranteed to be repeated victims through no fault of their own. And that really sucks.
Leave a comment »