The IT Nerd

So after posting this story this morning, I got a number of enquiries about how one can delete their 23andMe data. I did some looking around and I found that The Verge has excellent instructions on how to delete your data.

That’s the good news. Here’s the bad news. Deleting your data may not matter. Here’s why:

One of the notable issues is that this process also won’t delete all of your data — according to 23andMe’s privacy disclosure, your genetic information, date of birth, and sex will be retained for an undisclosed amount of time to comply with the company’s legal obligations, alongside “limited information related to your account,” such as your email address and communications around your data deletion request.

As I said this morning, the DNA or related genetic information is going to be super valuable to any company that wants to buy 23andMe, or what’s left of it. So It doesn’t surprise me that this verbiage exists. And it means that anyone who took a 23andMe test will have their data floating around in some form for a very long time, if not forever.

The take away from this whole episode is that perhaps you need to think twice before you use one of these services as this could be the end result.

UPDATE: Ensar Seker, CISO at SOCRadar had this comment:

“With 23andMe facing bankruptcy, there are serious concerns about what happens to millions of users’ genetic and personal health information (PHI). This isn’t just a typical data set; it includes deeply sensitive, immutable biological data that can be tied to individuals and their families for generations. Unlike a password or credit card number, you can’t change your DNA.”

“The most immediate risk is that this highly valuable dataset could be sold during bankruptcy proceedings, either to repay creditors or as part of asset acquisition. While regulations such as HIPAA and data use agreements exist, bankruptcy can complicate consent, data retention, and transfer policies, especially if the company is acquired by a foreign entity or a data broker.”

“From a security perspective, if proper safeguards and access controls aren’t maintained during this uncertain period, there’s a high risk that this data could be exfiltrated, sold on the dark web, or used in nation-state-level surveillance and profiling operations. It could even be leveraged in advanced identity fraud, blackmail, or discriminatory practices, especially if combined with breached data from other sources.”

“Additionally, given the military, political, and economic interest some governments have in genomic data, there’s also a strategic threat vector here. DNA data can reveal not just ancestry but predispositions to diseases, behavioral traits, and vulnerabilities, information that could be abused in both commercial and geopolitical contexts.”

“The bottom line is that 23andMe’s bankruptcy shouldn’t just be seen as a business failure. It’s a data stewardship crisis. Regulators, privacy watchdogs, and even national security agencies should step in to ensure that this dataset doesn’t fall into the wrong hands. Transparency, oversight, and ethical responsibility are now more important than ever.”

Chris Hauk, Consumer Privacy Champion at Pixel Privacy follows with this:

“23andMe is based in South San Francisco, California, so the company’s data is subject to the stricter privacy protections enforced in California. The bankruptcy is Chapter 11, meaning the company will likely continue operating until a new buyer is found. This means 23andme customers do still have time to request that the company delete all of their data, including their genetic data. I strongly recommend that affected customers make a deletion request as soon as possible, to ensure that your data is not sold.”

Paul Bischoff, Consumer Privacy Advocate at Comparitech adds this:

“The privacy policy that 23andMe customers agreed to may no longer apply if another company acquires it or its assets. Furthermore, genetic data is not considered medical info in the USA, and 23andMe is not considered a healthcare provider, so it’s not subject to HIPAA protections. Whoever acquires 23andMe will be free to change the privacy policy. I recommend deleting your 23andMe account immediately and requesting your personal data be deleted. Given the company’s data breach and compliance with law enforcement, this should be a no-brainer for privacy.”

Brian Higgins, Security Specialist at Comparitech offers this:

“It really depends on where the company is registered. In the case of a U.K. bankruptcy, according to the Insolvency Service, “The official receiver will become the data controller for personal data held by the bankrupt.” This at least gives some confidence to those customers affected by the failure of the company as regulations regarding storage, security and access ought to be maintained.”

“If 23andme were incorporated/registered elsewhere then it would be worth checking the data protection regulations of the jurisdiction concerned as there are some major differences in provision across the globe.”

Martin Jartelius, CISO at Outpost24 provided this:

“When any organization goes under, it will be harder to maintain privacy and control of information. We do not know who will pick it up, we do not know if sunsetting will be needed and we do not know how said sunsetting would work. The cyber element of personal data is generally related to credibility, such as the ability to refer to a relationship or bond to instigate an action of others, or simply the use of information related to the platform for the purposes of fraud or extortion – none of those are immediate and none are disastrous.”

News is just filtering in that DNA testing service 23andMe has filed for bankruptcy protection.

Keep in mind that this company has been in trouble for a while. They got pwned in October of 2023. Then when the scope of the hack became clear, they tried to shift the blame to users via changing their terms of service. Then when even more came out about the hack, the company said it was the fault o f their users that they got pwned. Too bad there was evidence that the company was asleep at the switch for months. The company then tried to pay their way out of this. But it became clear that they were living on borrowed time. That left this question. What happens to customer data? That’s now a today problem for anyone who has used the service. But….

23andMe said in a press release that it plans to continue operating throughout the sale process and that there “are no changes to the way the company stores, manages, or protects customer data.”

On Friday, the Attorney General in 23andMe’s home state of California issued a consumer alert advising customers to delete their data from the site given the company’s “reported financial distress.”

IF you can do that, great. But one suspects that is going to be difficult, if not impossible in this case. I say that because the DNA of their customers is going to be insanely valuable as part of any sale. Thus I don’t see a scenario where users will be able to delete their data as a means to protect themselves.

Watch this space as this just got real for 23andMe users.

It’s pretty clear based on this that 23andMe is screwed. But the part that should terrify any customer of this DNA testing service is what happens to that data when the company finally dies. That’s a real concern as according to this NPR report:

Anya Prince, a law professor at the University of Iowa’s College of Law who focuses on genetic privacy, said those worried about their sensitive DNA information may not realize just how few federal protections exist.

For instance, the Health Insurance Portability and Accountability Act, also known as HIPAA, does not apply to 23andMe since it is a company outside of the health care realm.

“HIPAA does not protect data that’s held by direct-to-consumer companies like 23andMe,” she said.

Although DNA data has no federal safeguards, some states, like California and Florida, do give consumers rights over their genetic information.

“If customers are really worried, they could ask for their samples to be withdrawn from these databases under those laws,” said Prince.

That’s a bit troubling. Fortunately, there’s something that 23andMe customers can do about it. Close their account ASAPunt:

23andMe has a page with instructions on how users can request an account closure. But in your 23andMe account, navigate to Settings, scroll down to the 23andMe Data section at the bottom, and click View on the right. Enter your birthday and then scroll to the bottom of the next page and click Permanently Delete Data.

Once you submit your request, 23andMe will email you to confirm it. Doing so will prompt the company to discard a customer’s genetic testing samples and prevent the company from using their data for future research projects. It could take up to 30 days to go into effect, though.

There is a catch though:

Although customers can request the company to delete their data, 23andMe won’t necessarily erase all your information. The company has been telling users who request an account deletion: “23andMe and the contracted genotyping laboratory will retain your Genetic Information, date of birth, and sex as required for compliance with legal obligations, pursuant to the federal Clinical Laboratory Improvement Amendments of 1988 and California laboratory regulations.”

And that is going to be a worry for any 23andMe customer. Especially since any bankruptcy proceeding or sale of the company likely would involve selling that data as part of the assets of the company. But at least requesting that your account be closed is something.

Bottom line. This is a cautionary tale that illustrates that these sorts of companies operate in a “grey area” and more regulation is required to govern how companies like this operate.

You might recall the recent troubles of DNA testing service 23andMe. The company got pwned in epic fashion. That led to them quietly trying to alter their terms of service to avoid getting sued. But when that didn’t work, they blamed their users for getting pwned. Ultimately, they are now trying to to pay their way out of trouble. Now they have some new trouble:

On Tuesday, the independent directors of the Board of 23andMe Holding Co. (NASDAQ:ME) sent a letter to Anne Wojcicki, Chief Executive Officer, Co-Founder, and Chair of the Board of Directors of 23andMe, providing their resignation, effective immediately.

The board said, “After months of work, we have yet to receive from you a fully financed, fully diligenced, actionable proposal that is in the best interests of the non-affiliated shareholders. We believe the Special Committee and the Board have provided ample time for you to submit such a proposal. That we have not seen any notable progress over the last 5 months leads us to believe no such proposal is forthcoming. The Special Committee is therefore unwilling to consider further extensions…”

That’s bad, but it gets worse:

On Wednesday, 23andMe Holding Co., a company specializing in biotechnology and personal genomics, disclosed a notification of non-compliance from Nasdaq’s Listing Qualifications Department. The notice, dated September 18, 2024, indicated that 23andMe does not currently meet Nasdaq’s corporate governance requirements due to a shortfall in the number of independent directors on its board and the composition of its key committees.

And:

23andMe must now submit a plan by October 3, 2024, to regain compliance. If Nasdaq accepts this plan, the company may be granted up to 180 days to demonstrate full compliance. However, if the plan is rejected, 23andMe will have the option to appeal before a Nasdaq Hearings Panel.

Seeing as this company has been trying to sort itself out for months, I don’t see a scenario where they get themselves sorted in weeks. Thus I am pretty sure that they are going to get delisted from NASDAQ, and then they are likely going to cease to exist. This shows what happens when you have one catastrophic event, in this case getting pwned, and you can’t recover. Other businesses should see this as a cautionary tale.

The more that I read about 23andMe, the more that they come across as being complete scumbags. Hot off of this rather underhanded trick to try and distance themselves from being sued out of existence because they got pwned and pwned big, comes this:

But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”

“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.

Well that’s pretty low. Ken Westin, Field CISO, Panther Labs had this to say:

Placing blame on end users for large-scale security incidents is never a good move. This move by 23andMe feels more like something that lawyers cooked up to avoid liability in the short-term without consideration for the long term consequences or real reflection by the company regarding their security practices. Given the nature of 23andMe’s business, trust is a key component of their go-to-market strategy, so it will be interesting to see how the market responds to this approach. I believe it will have a detrimental effect and have a larger impact on the business as a result. How organizations respond to security incidents can have a more significant impact than the original breach if it is not handled responsibly.

I agree with this. This sounds like a very bad thing to say that was cooked up by a lawyer. I wonder if that lawyer’s name is Han Solo as this defence sounds really familiar:

If there’s a company that truly needs to be sued out of existence based on their actions after being pwned by hackers, it’s this one.

UPDATE: Paul Valente, CEO & Co-Founder, VISO TRUST adds this comment:

“While 23andMe’s legal reply is not at all surprising, this case has the potential to set a new precedent in accountability — one which many CISOs and security professionals will appreciate — where B2C enterprises are held accountable for making sure allowed authentication methods are commensurate with the applicable risks and threats.”