23andMe, a prominent direct-to-consumer genetic testing company, has declared bankruptcy—and this has raised major concerns among privacy experts about the potential misuse of customers’ genetic data. Since its founding in 2006, over 15 million people have submitted their DNA for ancestry and health risk analysis.
Experts warn that this data, which reveals intimate details about individuals’ genetic makeup and family connections, could be exploited. In a 2023 data breach, a hacker accessed personal and ancestry data from 7 million users, targeting specific ethnic groups. Although raw DNA sequences weren’t leaked, sensitive information was offered for sale, highlighting the vulnerability of genetic data.
Another concern is around “genetic discrimination.” For example, employers or insurers could potentially use genetic mutations, such as those increasing cancer risk, to deny jobs, scholarships, or coverage.
Legal protections against such discrimination vary globally. In the EU, genetic data use by employers or insurers is largely forbidden, but in the U.S., gaps remain—especially since companies like 23andMe aren’t classified as medical providers and therefore operate under less stringent regulations.
Notably, 23andMe is not governed by the Health Insurance Portability and Accountability Act (HIPAA); instead, it adheres to its own privacy policies, which permit the sale or transfer of personal information during events like bankruptcy or acquisition.
What’s the lesson here?
When consumers entrust private companies with highly sensitive information like genetic data, they may be exposing themselves to serious privacy risks beyond their control. Without robust regulatory oversight, such as HIPAA, companies can legally transfer or sell personal data during events like bankruptcy, regardless of user consent. As personal data becomes an asset (or a bargaining chip) for corporations, we need more comprehensive data privacy laws that prioritize individual rights.
This underscores the importance of not only securing data, but also ensuring that backups of critical and sensitive data are stored in compliant, well-regulated environments.
What other topics are trending?
- Oracle Health breach compromises patient data at US hospitals: An attacker accessed legacy servers using stolen customer credentials and copied patient data to a remote server.
- DeepSeek users targeted with fake sponsored Google ads that deliver malware: Cybercriminals are using the AI tool as a lure to trap unsuspecting Google searchers.
- Solar power gear vulnerable to remote sabotage: Cybersecurity firm Forescout uncovered 46 vulnerabilities in solar inverters from leading vendors in China and Germany—which could have produced large-scale power outages.
The Soapbox: Online conversations you don’t want to miss
Featuring insights from our Co-Founder & CTO, James Ciesielski.
Coming in through the back door: How hackers can weaponize code agents
James’ take? A newly discovered vulnerability in GitHub Copilot and Cursor shows how easily AI coding agents can be tricked into writing malicious code—just by altering a simple config file. For developers and security teams, this is a wake-up call: if your AI tools can be manipulated, so can your codebase. It’s a reminder that as we embrace AI, we need to double down on secure development practices.
Join the conversation on X.
Don’t be (April) fooled: Risks of trusting fake ISO 27001 or SOC 1, 2, or 3 security certifications
James’ take? Not all ISO 27001 or SOC certifications are created equal—some may misrepresent reality, and others may be outright fake. With increasing pressure to prove compliance, it’s easy for bad actors to exploit trust. Always verify with the issuing body and do your own due diligence before assuming you’re in safe hands.
Join the conversation on Reddit.
Industry reports & events
Protecting SaaS data in the face of rising risks
Gartner predicts that end-user SaaS spending will reach $300 billion this year—and with threats like ransomware and AI-driven risks evolving at an unprecedented pace, data loss in SaaS platforms is not an if proposition but a when.
Get ahead of data loss with our new guide, which outlines the current landscape of data threats, breaks down industry standard practices like the 3-2-1 backup rule for SaaS, and explains how to build data resilience with automated backups.
Drop by the Rewind booth at RSAC 2025, Apr. 28 – May 1
April 28-May 1, 2025 | San Francisco, California
Attending RSAC™ in San Francisco later this month? Drop by and see us at booth #2433 to find out how to protect your critical SaaS data from accidental loss and outages, to AI-driven risks. Experience the power of Rewind firsthand as experts walk you through a demo!
Subscribe to Retro for more!
Like what you read? Subscribe to Retro so you don’t miss any of our industry’s top stories and conversations.
Miriam Saslove">
