You can’t reset your DNA. So why are you letting companies treat it like a password?

Not long ago, mailing your saliva to a Silicon Valley startup was treated like a novelty – a quirky gift, a shortcut to family history, a light-hearted peek into your genetic future. Tens of millions have handed over their DNA to companies like 23andMe, Ancestry, and MyHeritage, seeking personalized health insights or ancestry reports.

But beneath the surface of those cheery results lies a far more complex transaction – one that trades a moment of curiosity for a lifetime of vulnerability. And while the industry has exploded into a multibillion-dollar giant, the safeguards around this most intimate data remain very fragile.

In a recent investigation we took a hard look at the cybersecurity practices of major direct-to-consumer (DTC) DNA testing companies – and what we found was really worrying. Using the Business Digital Index (BDI), our researchers discovered that more than 85% of these companies failed to meet even the most basic security standards. Weak encryption, outdated infrastructure, and vague or misleading privacy policies were very common – even among the industry’s biggest names, who promise users their genetic data is safe.

As someone who’s spent years probing digital vulnerabilities, I’ve rarely seen such a dangerous combination: valuable data, weak defenses, and barely any accountability. But with DNA, the stakes are personal and permanent.

Consumers are paying these companies for insights into their genetic makeup, often without fully understanding what they’re giving away, and how their DNA will be used to generate profit. We found that nearly 70% of these companies share genetic data with research partners, while over half send it to marketing and advertising services. Many of them retain that data for years, without clear mechanisms for deletion or the user’s control over its use.

These risks are already very real. In 2018, MyHeritage suffered a breach that exposed emails and hashed passwords of 92 million users. In 2023, 23andMe was hit by a leak affecting over 7 million customers, many of whom had opted into a feature called “DNA Relatives.” That opt-in allowed attackers to harvest not only their information, but also data from genetically linked family members.

The company’s stock plummeted. CEO Anne Wojcicki stepped down. Earlier this year, 23andMe filed for bankruptcy – and now, the company is set to be acquired by pharmaceutical giant Regeneron for $256 million.

For those who’ve warned about the industry’s fragility, the collapse was far from surprising. But it was definitely unsettling. A household name imploding under the weight of its own promises should have sparked sweeping reform. It hasn’t. Instead, California’s Attorney General issued a rare warning, advising customers to consider deleting their genetic data altogether.

The Regeneron acquisition adds a new layer of risk and uncertainty for customers. While Regeneron has pledged to honor 23andMe’s privacy policies and comply with data protection laws, transferring such a vast trove of sensitive genetic data – especially after a major breach – creates new vulnerabilities. Mergers often lead to gaps in security as systems and staff are integrated, and oversight will be critical to ensure that customer DNA data isn’t exposed, misused, or sold without proper consent.

But that may be easier said than done.

A 2018 analysis of 55 direct-to-consumer genetic testing companies conducted by James W. Hazel and Christopher Slobogin found that only 44% addressed whether users could delete their genetic data, and just 9% (5 companies) allowed full deletion. Some companies explicitly stated deletion was impossible, often due to prior sharing or de-identification for research.

The issue gets even bigger if you look at how these companies handle data sharing. Many partner with pharmaceutical firms and research institutions – collaborations often framed as contributions to scientific progress. But the line between altruism and monetization is blurry. A 2022 investigation by Consumer Reports into five major direct-to-consumer genetic testing companies – 23andMe, AncestryDNA, CircleDNA, GenoPalate, and MyHeritage – found that while these firms promote strong DNA privacy protections, their treatment of non-genetic data poses significant privacy risks. Much of the data collected isn’t essential to core services, and opting into research studies may grant broader permissions than consumers realize.

These risks don’t stop at the individual level. They ripple through society. DNA data isn’t like a credit card number that can be canceled and reissued. It’s a permanent, unchangeable blueprint of who we are – and who we’re related to. In the wrong hands, it can be used for discrimination, blackmail, or state surveillance. Already, law enforcement agencies have begun using genealogical databases to solve crimes (remember the Golden State Killer case?). While effective, this practice raises profound ethical questions about consent, civil liberties, and the scope of digital policing.

The regulatory environment has failed to keep up. In the U.S., there is no comprehensive federal law governing the collection, storage, or sharing of genetic data in the private sector. The Genetic Information Nondiscrimination Act (GINA), passed in 2008, prohibits the use of genetic data for health insurance or employment decisions – but it doesn’t touch on data privacy. And international standards vary wildly, with some countries taking a more consumer-protective stance than others.

This leaves consumers exposed – and often unaware. A 2020 study by Aviad E. Raz and colleagues found that over 40% of 23andMe users were unaware that the company’s business model involved sharing their genetic data. Obviously, there is a need for clearer communication and more equitable forms of participation in commercial health research.

There’s a bitter irony in all this: the technology that promised to unlock the secrets of our ancestry and offer personalized health insights has, in many cases, created a permanent vulnerability – one that even cybersecurity experts can’t easily mitigate.

We wouldn’t tolerate this kind of recklessness with our bank details, our children’s school records, or our medical histories. So why are we letting it happen with our DNA? As a cybersecurity researcher, I know how vulnerable this data is. As a person, I know how irreplaceable it is.

Policymakers should act swiftly to establish clear, enforceable standards for genetic data protection – including mandatory encryption, breach reporting, data deletion rights, and restrictions on third-party sharing. Consumers must be empowered with transparency and meaningful consent. And the industry must recognize that genetic data isn’t just another commodity. It’s identity. It’s family. It’s the future.

Until this industry treats our DNA with the care and respect it demands, trust and privacy will remain elusive.

About the author

Aras Nazarovas is an Information Security Researcher at Cybernews, a research-driven online publication. Aras specializes in cybersecurity and threat analysis. He investigates online services, malicious campaigns, and hardware security while compiling data on the most prevalent cybersecurity threats. Aras along with the Cybernews research team have uncovered significant online privacy and security issues impacting organizations and platforms such as NASA, Google Play, App Store, and PayPal. The Cybernews research team conducts over 7,000 investigations and publishes more than 600 studies annually, helping consumers and businesses better understand and mitigate data security risks.

Article Topics

23andMe  |  biometric data  |  Cybernews  |  cybersecurity  |  data protection  |  dna