23andMe Data Breach: When Genetic Privacy Becomes a Commodity


Do the benefits of uncovering our ancestral roots and potentially contributing to scientific research outweigh the immense risks of making our most personal data susceptible to misuse?

In 2020, the business world took notice as investment firm Blackstone acquired Ancestry, a leading online platform for family history, in a staggering $4.7 billion deal. Owning an extensive database of 27 billion records and a DNA network of over 18 million individuals, the acquisition fueled debates about the commodification of genetic privacy.

The inherent inability to anonymize DNA data raised critical questions about safeguarding our genetic information from unauthorized access by hackers and preventing its sale to the highest bidder by private equity firms. Three years later, these concerns appear to have been justified as U.S. biotech firm 23andMe was forced to confirm a data leak after personal genetic information was found for sale on hacker forums.

A reported 13 million pieces of user data from 23andMe were put up for sale on the dark web, taking fears around identity theft to a new and uncharted level. While DNA data “should” be safe, other sensitive information, from users’ birth years and genders to ancestral heritage results, has been compromised. 

The data breach further segregated the affected individuals based on ethnic heritage, exposing detailed information about 1 million Ashkenazi and 300,000 Chinese heritage users. Such a leak doesn’t merely jeopardize financial or online security; it lays the foundation for advanced discrimination and targeted attacks based on genetic background. 

In an era where we’re progressively sharing more of our personal information online, often for the benefit of scientific research and personalized services, this incident forces us to confront the ethical and security dilemmas associated with mass collecting and storing such intimate data. 

How Blockchain Could Better Safeguard Our Genetic Heritage

While I’m intrigued by my family history, I’ve hesitated to share my information with organizations that might willingly or unwillingly commercialize it, expose it to theft, or surrender it to governmental authorities—perhaps even all three. Yet, with family members embracing these services with fewer reservations, it raises the disquieting question: how can we collectively enhance the security protocols around our personal genetic information?


In their recent blog post, 23andMe outlines multiple avenues for users to bolster the security of their accounts. The company directs users to its guidelines for resetting passwords and setting up multi-factor authentication, along with a link to a privacy and security checkup page. But in cybersecurity, tightening up the stable door after the horse has bolted is like installing an alarm system in your home after you have been robbed. 

However, blockchain technology could be a compelling antidote to protecting DNA data. Renowned for its cryptographically secure, decentralized architecture, blockchain could revolutionize how genetic data is stored and accessed. Blockchain technology fortifies data integrity by employing an immutable, tamper-resistant chain of data blocks. This could bring much-needed trust and transparency to the industry by ushering in a democratic ownership of genetic data. Ultimately placing control back in the hands of individuals and, by extension, their families.

Blockchain also aligns with evolving global privacy norms, such as GDPR, by enabling “off-chain storage” strategies that satisfy regulatory concerns. On the other hand, its decentralized nature significantly lowers the risk of centralized hacking attempts. As we ponder the ethical intricacies of collecting and storing genomic data, blockchain offers a plausible avenue for secure, transparent, and ethical management of such sensitive information.

How Genetic Data Breaches Could Reshape Society

Rather than continue repeating the same mistakes and expecting different results, the industry must learn from the vulnerabilities plaguing the direct-to-consumer genealogy industry. Ancestry.comMyHeritage, and now 23andMe have suffered high-profile data breaches that compromised the personal information of millions of users. These incidents are a collection of stark reminders of the urgent need for fortified security measures to protect the sensitive information held by genealogy platforms.

The potential consequences of high-profile data breaches in genealogy databases reach far beyond the immediate financial or privacy risks associated with other types of data loss. In countries where regulations against genetic discrimination are scarce or underdeveloped, the impact of such breaches could be devastatingly profound. China’s reported use of DNA samples to track and discriminate against Uighurs, a predominantly Muslim ethnic group, is a salient example of state misuse of genetic information for social control and discrimination.

Beyond governmental misuse, the privatization of genetic data could spawn a host of other ethical dilemmas. Envision a world where insurance firms adjust premiums or even outright deny coverage based on a genetic predisposition to specific health conditions. Imagine receiving personalized advertisements not based on your shopping history but on your genetic data for particular health issues or food preferences. 

These data breaches are not just a violation of personal privacy; they could fuel a future where our genetic makeup becomes a tool for discrimination, surveillance, and exploitation. This unsettling landscape prompts a crucial question: Does the utility of consumer-facing genetic services outweigh the far-reaching risks of our most intimate data falling into the wrong hands? What can companies like 23andMe learn from this?

The Bottom Line

Big data and machine learning might be destined to transform genetic testing, but how we secure this information has arguably been overlooked. The repercussions of data breaches in the genealogical sector extend far beyond immediate monetary or privacy concerns. They infiltrate the crux of our biological identity.

As we find ourselves at the precipice of technological advancements like blockchain that offer solutions for secure data management, we are also confronted with ethical quandaries that challenge the essence of privacy in the digital age.

We must collectively ask: Do the benefits of uncovering our ancestral roots and potentially contributing to scientific research outweigh the immense risks of making our most personal data susceptible to misuse? This critical juncture calls for immediate action—a holistic reevaluation of existing security measures and a steadfast commitment to ethical responsibility—to ensure that our genetic heritage doesn’t become the Achilles’ heel of our digital existence.


Related Reading

Related Terms

Neil C. Hughes
Senior Technology Writer

Neil is a freelance tech journalist with 20 years of experience in IT. He’s the host of the popular Tech Talks Daily Podcast, picking up a LinkedIn Top Voice for his influential insights in tech. Apart from Techopedia, his work can be found on INC, TNW, TechHQ, and Cybernews. Neil's favorite things in life range from wandering the tech conference show floors from Arizona to Armenia to enjoying a 5-day digital detox at Glastonbury Festival and supporting Derby County.  He believes technology works best when it brings people together.