REPORTAGE: 23andMe’s Bankruptcy: A Cautionary Tale of Cybersecurity Negligence

This past weekend, 23andMe filed for bankruptcy, marking a dramatic downfall for the once-prominent consumer DNA testing company. This collapse follows a devastating cyberattack in October 2023, which compromised the sensitive data of millions of users.

How 23andMe Rose to Prominence

Founded in 2006, 23andMe revolutionized the direct-to-consumer genetic testing industry, offering affordable ancestry and health-related DNA analysis. The company’s unique value proposition was its vast genetic database, built on user-submitted DNA samples, which provided insights into ancestry, health risks, and even genetic traits. Over time, 23andMe also monetized this data through partnerships with pharmaceutical companies and research institutions, sparking concerns over privacy and data security.

The Cyberattack That Sealed Its Fate

Despite handling extremely sensitive personal data, 23andMe failed to implement basic cybersecurity safeguards. The October 2023 breach exposed the data of nearly 7 million users, including full names, ancestry details, health-related genetic markers, and geographic locations. Attackers exploited weak security configurations and reused credentials, a glaring oversight for a company entrusted with such high-value data.

Our cybersecurity analysis at the time revealed insecure, misconfigured servers that left sensitive user data exposed. Even after the breach, 23andMe failed to address these vulnerabilities, allowing continued access to compromised datasets—an unacceptable failure in cybersecurity hygiene.