So after posting this story this morning, I got a number of enquiries about how one can delete their 23andMe data. I did some looking around and I found that The Verge has excellent instructions on how to delete your data.
That’s the good news. Here’s the bad news. Deleting your data may not matter. Here’s why:
One of the notable issues is that this process also won’t delete all of your data — according to 23andMe’s privacy disclosure, your genetic information, date of birth, and sex will be retained for an undisclosed amount of time to comply with the company’s legal obligations, alongside “limited information related to your account,” such as your email address and communications around your data deletion request.
As I said this morning, the DNA or related genetic information is going to be super valuable to any company that wants to buy 23andMe, or what’s left of it. So It doesn’t surprise me that this verbiage exists. And it means that anyone who took a 23andMe test will have their data floating around in some form for a very long time, if not forever.
The take away from this whole episode is that perhaps you need to think twice before you use one of these services as this could be the end result.
UPDATE: Ensar Seker, CISO at SOCRadar had this comment:
“With 23andMe facing bankruptcy, there are serious concerns about what happens to millions of users’ genetic and personal health information (PHI). This isn’t just a typical data set; it includes deeply sensitive, immutable biological data that can be tied to individuals and their families for generations. Unlike a password or credit card number, you can’t change your DNA.”
“The most immediate risk is that this highly valuable dataset could be sold during bankruptcy proceedings, either to repay creditors or as part of asset acquisition. While regulations such as HIPAA and data use agreements exist, bankruptcy can complicate consent, data retention, and transfer policies, especially if the company is acquired by a foreign entity or a data broker.”
“From a security perspective, if proper safeguards and access controls aren’t maintained during this uncertain period, there’s a high risk that this data could be exfiltrated, sold on the dark web, or used in nation-state-level surveillance and profiling operations. It could even be leveraged in advanced identity fraud, blackmail, or discriminatory practices, especially if combined with breached data from other sources.”
“Additionally, given the military, political, and economic interest some governments have in genomic data, there’s also a strategic threat vector here. DNA data can reveal not just ancestry but predispositions to diseases, behavioral traits, and vulnerabilities, information that could be abused in both commercial and geopolitical contexts.”
“The bottom line is that 23andMe’s bankruptcy shouldn’t just be seen as a business failure. It’s a data stewardship crisis. Regulators, privacy watchdogs, and even national security agencies should step in to ensure that this dataset doesn’t fall into the wrong hands. Transparency, oversight, and ethical responsibility are now more important than ever.”
Chris Hauk, Consumer Privacy Champion at Pixel Privacy follows with this:
“23andMe is based in South San Francisco, California, so the company’s data is subject to the stricter privacy protections enforced in California. The bankruptcy is Chapter 11, meaning the company will likely continue operating until a new buyer is found. This means 23andme customers do still have time to request that the company delete all of their data, including their genetic data. I strongly recommend that affected customers make a deletion request as soon as possible, to ensure that your data is not sold.”
Paul Bischoff, Consumer Privacy Advocate at Comparitech adds this:
“The privacy policy that 23andMe customers agreed to may no longer apply if another company acquires it or its assets. Furthermore, genetic data is not considered medical info in the USA, and 23andMe is not considered a healthcare provider, so it’s not subject to HIPAA protections. Whoever acquires 23andMe will be free to change the privacy policy. I recommend deleting your 23andMe account immediately and requesting your personal data be deleted. Given the company’s data breach and compliance with law enforcement, this should be a no-brainer for privacy.”
Brian Higgins, Security Specialist at Comparitech offers this:
“It really depends on where the company is registered. In the case of a U.K. bankruptcy, according to the Insolvency Service, “The official receiver will become the data controller for personal data held by the bankrupt.” This at least gives some confidence to those customers affected by the failure of the company as regulations regarding storage, security and access ought to be maintained.”
“If 23andme were incorporated/registered elsewhere then it would be worth checking the data protection regulations of the jurisdiction concerned as there are some major differences in provision across the globe.”
Martin Jartelius, CISO at Outpost24 provided this:
“When any organization goes under, it will be harder to maintain privacy and control of information. We do not know who will pick it up, we do not know if sunsetting will be needed and we do not know how said sunsetting would work. The cyber element of personal data is generally related to credibility, such as the ability to refer to a relationship or bond to instigate an action of others, or simply the use of information related to the platform for the purposes of fraud or extortion – none of those are immediate and none are disastrous.”
OnX Celebrates 40+ Years of Excellence and a Decade of Double-Digit Growth in Canada
Posted in Commentary with tags OnX on March 25, 2025 by itnerdOnX is proud to celebrate a significant milestone in its more than 40-year history of delivering industry-leading technology solutions to public and private organizations across Canada. Recently marking 10 consecutive years of double-digit growth, the company remains dedicated to driving innovation and transformative outcomes for its customers.
OnX is a trusted partner to public and private organizations looking to align advanced technologies—including AI—with clear, outcome-driven business goals. By combining a best-in-class technology portfolio with comprehensive professional and managed services, OnX delivers the agility, scalability, and resilience needed to lead in today’s evolving digital landscape.
Core strengths are centered in a multidisciplinary team of certified engineers, solution architects, analysts, and data specialists with deep expertise across cloud, infrastructure, digital workplace, and data intelligence. From AI-enabled automation and data readiness to proactive service management, OnX empowers clients to modernize operations, enhance service delivery, and unlock measurable business value.
Specializing in cloud, consulting, cybersecurity, digital workplace, application modernization, infrastructure, and managed services, OnX is also making significant investments to become a forward-thinking Canadian AI enablement provider. These investments aim to help organizations capitalize on AI’s transformative potential by ensuring data readiness, implementing strategically aligned AI infrastructure, developing governance frameworks, and building processes to integrate AI into core business operations, creating meaningful competitive advantages.
As part of its AI initiative, OnX is pleased to welcome Celio Casadei as the Senior Vice President of Cloud and AI. A dynamic leader, Celio brings extensive expertise in managing and delivering large-scale cloud, data, and AI solutions. His proven track record of driving operational excellence, optimizing modern infrastructure, and advancing AI innovations spans industries including financial services, telecom, insurance, and government.
Leave a comment »