Figure 1 and 2:
A few years ago, my friend excitedly shared screenshots of her 23andMe results. She had finally discovered her 22% “mysterious” Mongolian side, which her parents had kept a secret from her her whole life. In fact, because she was born in Beijing, she had thought she was Northern Chinese, but her DNA results said otherwise: that she was actually mostly Southern Chinese.
Just like my friend, in casual fashion, over 15 million people around the globe have also participated in the seemingly innocuous act of mailing a small plastic tube filled with saliva to a laboratory to learn about their genetic ancestry and personal identity. However, what was once a seemingly fun way to discover one’s genetic past became a nightmare for users when 6.9 million consumers’ DNA data were hacked, compiled, produced, and sold on the dark web in 2023 (Harwell, 2023).
23andMe’s data breach is much more than just losing a password or birthday; DNA does not have a reset button. It’s the most intimate data about someone. This catastrophic data hemorrhage reveals a broader societal failure in data privacy. At what point did we stop guarding our most permanent biological data and start volunteering it to tech companies in exchange for the dopamine hit of an ancestry reveal? All for what, $129?
The current digital environment is characterized by an ongoing, highly asymmetrical privacy bargain in which users are systematically conditioned to exchange their historically private and sensitive personal information for the promise of groundbreaking products and services (Hutchinson, 2026). Data privacy issues arise from a combination of people’s lack of awareness of how companies use personal data and business models whose sole purpose is to extract, combine, and ultimately weaponize data, like our DNA, for the benefit of increasing corporate profit. The danger here goes beyond our basic data; it extends to biocapitalism, where genetic codes can become companies’ intellectual property. To understand the scope of the risk, we need to understand the “invisible” infrastructure that makes up how we live digitally and how companies quietly harvest, package, and exploit our data.
Biocapitalism and Data Security
In the high-tech, digital world, everyone needs to know that we are no longer the “customers.” We are the “product,” and companies think of ways to capitalize on and monetize our data for profit like never before. And we unknowingly click the “Agree” button at the end of the service agreement without knowing the full scope of what we are signing up for. In other words, users are forced into a carefully controlled privacy externality that platforms develop through utopian visions of personalized empowerment and seamless connectivity across the globe, and, as a result, users willingly surrender the absolute borders of their personal lives (Hutchinson, 2026). You may think “doom scrolling” on TikTok is fun, but it’s the company’s algorithm collecting, recycling, and quietly monetizing your behavioral patterns in ways you will never fully see.
Maybe many people are willing to exchange their behavioral data for entertainment. However, what about the risk to your health and genetic data in exchange for companies to make a profit? To understand the predatory nature of this business model, we need to strip away the corporate mask of technological benevolence and examine the mechanics of biocapitalism. Biocapitalism, simply put, is when companies use biological data as raw materials to be extracted, owned, and turned into profit. This trend accelerated within the late 20th century, especially with the Biotech Boom in the 1990s to 2000s, then between 2016 and the COVID-19 time period. According to Figure 3, there were approximately 500 biotech company IPOs in 2004 and then again in 2020, and increasing. Modern data-driven corporations are cold, unrelenting extraction machines disguised as befitting democratization of scientific and health-related progress (Crawford, 2021, pp. 32-35). The core blueprint for our physical features and genetic codes is manipulated to create a new terra nullius—a digital wilderness with no legal use. This uses the human body as a free natural resource to generate wealth through data and increase market value.
Figure 3: Trend of Biotech Public Companies 2000 – 2020
And this is the truth behind these tech giants and biocapitalism. When faced with large-scale data crises, tech platforms immediately switch from being perceived as powerhouses to hiding behind the false image of being objective, neutral technologies (Flew, 2018, pp. 19 – 22). Tech giants create totalitarian power through their excessively long and opaque terms-of-service agreements, and they operate in a lawless cyberspace with no real representation or oversight from the people they claim to serve (Suzor, 2019, pp. 10 – 14). When they blame consumers for lax passwords, the platforms use the fiction of their neutrality to place all responsibility for the catastrophic collapse of their platforms squarely on individual consumers. This establishment of a false sense of neutrality allows the platforms to hide an even more devastating reality: that large-scale data-related disasters are not caused by consumer negligence, but rather by the intentional deployment of very fragile systems of forced connectivity built into the foundational structure of their platforms in pursuit of maximum network effects at all cost relative to even rudimentary human safety. Consumers live in a highly coercive illusion and mistakenly believe that when they click on a digital agreement, they are gaining access to modern scientific services. They are entering into an unbalanced treaty with a corporation that effectively cedes to it the consumer’s biological sovereignty on a global basis.
The Case Study: 23andMe and
The recent data breach at 23andMe, the largest ever for a genetic genealogy company, has shown that biocapitalism has caused a real-life crisis where millions of individuals were shocked to learn that they were more than just “customers.” Instead, they became the “inventory” for corporate platform architectures. This breach represents the culmination of extreme uses of human biological data for corporate profit by the platforms of biocapitalism.
The attackers were able to penetrate through credential stuffing: an attack technique where an attacker can take stolen email addresses and passwords from other sites (which may have been hacked) and try them on the targeted site. Once inside the 23andMe platform, the attackers utilized the internal features of 23andMe to target and collect information on roughly 6.9 million individuals (Alder, 2023; Newman, 2023b). Under traditional healthcare delivery processes with separate, secure databases for storing and retrieving data, the scale of the structural damage caused by these breaches would likely have been mitigated by the fact that the two-step verification process for accessing personal medical or genetic records within a traditional model would have remained an effective safeguard. 23andMe reveals three key risks to data privacy:
- Customer’s Illusion of Data Control: My friend thought when she signed up to take a DNA test with 23andMe that the company was acting in good faith and taking care of his private information. 23andMe sells to consumers at retail but at the same time receives revenue from outside companies that want to purchase genetic data and DNA for research, pharmaceuticals, and commercial partnerships. Stoeklé et al. (2016) illustrate how 23andMe functions as a dual-profit model, whereby they sell products directly to end users on one side but receive value from the large volume of information they have developed through their extensive biobank and database of DNA samples. Consumers believe when they purchase an ancestry product that they only receive information about their ancestor genealogy, however they are helping build a long term genetic database structure for the future. Ultimately, when the time comes, the company will have profit objectives first, protect their corporate reputation and eventually value from assets. So, in this process, the consumer is not only purchasing and receiving information regarding themselves but is also contributing to the creation of a corporate data asset, which could continue to exist after the actual transaction.
- Exploitation of Sensitive Data: There is no way to change your DNA because unlike passwords, your DNA will always be your DNA. In addition to accessing user accounts, hackers also did not simply take the compromised database and load it onto dark web forums as a random collection of names and passwords in a loose manner. Instead, the exposed data was collected and disseminated in a way to identify specific ethnic groups. In fact, from this data leakage, Ashkenazi Jewish or Chinese people were affected, where approximately one million Jewish customers and 350,000 Chinese customers were in the data that was being compiled and was leaked (Newman, 2023a; Sridhar, 2024). This was no simple data breach; it also represented a targeted ethnic attack. This means that Jew and Chinese minorities have increased risk of being harassed, discriminated against, surveilled, or racially targeted (Marwick & boyd 2018).
- These narrowly curated ethnically targeted lists demonstrate that data breaches do not impact all consumers in a similar way. The use of rigid biological classifications on the platform established a permanent infrastructure for classifying individuals by their ancestry and identity. The treatment of humans as purely extractable data points creates an efficient classification-based system for everyone that results in a loss of human dignity, essentially turning 23andMe into a high-precision racial profiler (Crawford, 2021, pp. 34-36).
In addition to the financial impact, this breach led to numerous other disadvantages for 23andMe due to declining consumer trust, negative public relations, lawsuits, and much lower revenues. In 2021, the company went public at a value of approximately $3.5 billion and will have a value of approximately $300 million by 2024 (a loss of approximately 91%) (DeGeurin, 2024). In March 2025, the company began voluntary Chapter 11 filings to facilitate the court’s supervision of the sale of 23andMe (23andMe, Inc. 2025a). In July 2025, the TTAM Research Institute, a nonprofit public benefit corporation created and controlled by Anne Wojcicki, completed the acquisition of the Personal Genome Service of 23andMe and the associated Research Services business (23andMe, Inc. 2025b).
These events demonstrate that genetic privacy does not only represent an issue of securing personal data; it also represents an issue of corporate governance. The bankruptcy, acquisition, or sale of an organization whose core asset is a database containing the biological properties of millions of individuals is itself a significant privacy violation event.
Figure 4: Timeline of 23andMe’s Collapse
“This is a total paradigm shift when it comes to the implications of a data breach.”
While a person may cancel their credit card if it is compromised, a person’s biological markers that create their physical identity cannot simply be erased or changed. Because of this, when 23andMe suffered a data breach, they converted an extremely sophisticated set of consumer data into a tool that could be used to profile, target, and persecute individuals. Ultimately, 23andMe made a sophisticated, massive consumer data set into a fully constructed and calibrated tool for persecution, just waiting on their servers for anyone to pull the digital trigger.
What Now?
The current trajectory of the digital economy because of 23andMe’s data breach presents a stark example of the potentially catastrophic consequences associated with the commodification of biological data. When a consumer’s personal credit cards become compromised, they generally can cancel and obtain a new card; email account credentials may be reset; however, a person’s biological profile will, in a very real sense, outlive the individual and will be fixed in time as a record of that individual. Therefore, exposure of genetic and genealogically linked records of biological identity can carry risks across families, communities and future generations.
The 23andMe incident is a direct illustration of how the commercial exploitation of DNA in an unregulated digital economy is a direct violation of fundamental human safety and autonomy principles. To restore the autonomy we have lost relative to our genetic biospheres, it is incumbent upon us to bridge the substantial gap between society’s naive and uneducated notions about commercial genetic testing and the potential long-term impact of biological data collection on individual and societal integrity; the public must re-evaluate their understanding of commercial genetic testing, which some may see as a harmless, one-off, entertainment experience. While these companies may market themselves as being in the ancestry, health, or research business, their business models also rely on the collection of data from customers through data mining, vague and unclear user agreements, and databases that are valuable because they are comprised of inherently private and irretrievable biological markers of the individual or individual’s family (Crawford, 2021; Stoeklé, 2016).
The traditional notice-and-consent model used to regulate digital economies must be completely overhauled. The existing notice-and-consent framework fails to provide consumers with the choice they believe they are being given, while giving companies control over the actual definition, structure, and future uses of the data collected. Policymakers must view large, commercial genetic databases as sensitive critical infrastructure that requires the highest level of security, transparency, democratic oversight and restrictions on commercial transfer (Ram et al., 2025; Suzor, 2019). A “foundational right” to digital bodily integrity should also be included in the ongoing discussions that examine how law will treat genetic identifiers from an economic perspective. It is essential to recognize that genetic identifiers are not just ordinary commodities in the marketplace, and that unless society takes affirmative action to segregate human biological identity from the principal extractive operations of digital capitalism, the human biological material we provide to a company to extract and study will become a permanent data asset waiting to be exploited by future controllers of the database.
Reference list:
References
23andMe, Inc. (2025a, March 23). 23andMe initiates voluntary Chapter 11 process to maximize stakeholder value through court-supervised sale process. GlobeNewswire. https://www.globenewswire.com/news-release/2025/3/24/3047517/0/en/23andMe-Initiates-Voluntary-Chapter-11-Process-to-Maximize-Stakeholder-Value-Through-Court-Supervised-Sale-Process.html
23andMe, Inc. (2025b, July 14). TTAM Research Institute, a nonprofit public benefit corporation, completes the acquisition of 23andMe assets. 23andMe Media Center. https://mediacenter.23andme.com/press-releases/ttam-research-institute-nonprofit-public-benefit-corporation/
Acquisti, A., Taylor, C., & Wagman, L. (2016). The economics of privacy. Journal of Economic Literature, 54(2), 442-492. https://doi.org/10.1257/jel.54.2.442
Alder, S. (2023, December 5). 6.9 million 23andMe users affected by data breach. The HIPAA Journal. https://www.hipaajournal.com/6-9-million-23andme-users-affected-by-data-breach/
BDO. (2021, February 15). The biotech IPO boom. https://www.bdo.com/insights/industries/life-sciences/the-biotech-ipo-boom
Birch, K., & Tyfield, D. (2013). Theorizing the bioeconomy: Biovalue, biocapital, bioeconomics or . . . what? Science, Technology, & Human Values, 38(3), 299-327. https://doi.org/10.1177/0162243912442398
Crawford, K. (2021). Atlas of AI: Power, politics, and the planetary costs of artificial intelligence. Yale University Press.
de Brouwer, S. (2020). Privacy self-management and the issue of privacy externalities: Of thwarted expectations, and harmful exploitation. Internet Policy Review, 9(4). https://doi.org/10.14763/2020.4.1537
DeGeurin, M. (2024, February 16). Hackers got nearly 7 million people’s data from 23andMe. The firm blamed users in “very dumb” move. The Guardian. https://www.theguardian.com/technology/2024/feb/15/23andme-hack-data-genetic-data-selling-response
Fairfield, J. A. T., & Engel, C. (2015). Privacy as a public good. Duke Law Journal, 65(3), 385-457. https://scholarship.law.duke.edu/dlj/vol65/iss3/1
Flew, T. (2018). Platforms on trial. Intermedia, 46(2), 24-29. https://www.iicom.org/intermedia/intermedia-july-2018/platforms-on-trial/
Hernandez, J. (2025, March 24). 23andMe is filing for bankruptcy. Here’s what it means for your genetic data. NPR. https://www.npr.org/2025/03/24/nx-s1-5338622/23andme-bankruptcy-genetic-data-privacy
Intellizence. (n.d.). 23andMe files for bankruptcy amid mounting challenges. https://intellizence.com/insights/bankruptcy/23andme-files-for-bankruptcy-amid-mounting-challenges/
Marwick, A. E., & boyd, d. (2018). Understanding privacy at the margins: Introduction. International Journal of Communication, 12, 1157-1165. https://ijoc.org/index.php/ijoc/article/view/7053
Newman, L. H. (2023a, October 6). 23andMe user data stolen in targeted attack on Ashkenazi Jews. WIRED. https://www.wired.com/story/23andme-credential-stuffing-data-stolen/
Newman, L. H. (2023b, December 5). The 23andMe data breach keeps spiraling. WIRED. https://www.wired.com/story/23andme-breach-sec-update/
Ram, N., Prince, A. E. R., Roberts, J. L., Fox, D., & Spector-Bagdady, K. (2025). The precarious future of consumer genetic privacy. Science, 389(6765), 1092-1094. https://doi.org/10.1126/science.adz7229
Randles, J. (2025, March 24). 23andMe’s bankruptcy puts 15 million users’ DNA info on auction block. Bloomberg. https://www.bloomberg.com/news/articles/2025-03-24/23andme-s-bankruptcy-puts-15-million-users-dna-info-on-auction-block
Sridhar, S. (2024, January 29). 23andMe delayed telling Ashkenazi Jews, Chinese their data was stolen. Daily Journal. https://www.dailyjournal.com/articles/376899-23andme-delayed-telling-ashkenazi-jews-chinese-their-data-was-stolen
Stoeklé, H.-C., Mamzer-Bruneel, M.-F., Vogt, G., & Hervé, C. (2016). 23andMe: A new two-sided data-banking market model. BMC Medical Ethics, 17, Article 19. https://doi.org/10.1186/s12910-016-0101-9
Sunder Rajan, K. (2006). Biocapital: The constitution of postgenomic life. Duke University Press.
Suzor, N. P. (2019). Lawless: The secret rules that govern our digital lives. Cambridge University Press.
Very well presented. Every quote was awesome and thanks for sharing the content. Keep sharing and keep motivating others.