On March 24, 2025, genetic testing pioneer 23andMe filed for Chapter 11 bankruptcy protection, with co-founder and CEO Anne Wojcicki resigning immediately. This dramatic fall—from a company once valued at $6 billion to bankruptcy in just a few years—represents more than just another failed biotech startup. It exemplifies a fundamental challenge facing data-driven businesses: the delicate balance between protecting sensitive information and making that same data strategically useful for business purposes. This is not mere coincidence; both problems stem from the same root cause.
23andMe’s Twin Failures
When 23andMe disclosed a data breach in October 2023, the initial report suggested only 14,000 accounts were affected. Later investigations revealed a much more extensive impact: 6.9 million customers had their data compromised through a credential stuffing attack, where hackers used passwords stolen from other sites to access 23andMe accounts.
The breach wasn’t random but “a calculated and targeted operation” focusing on specific demographic groups, including data for about 1 million Ashkenazi Jews.
Simultaneously, 23andMe struggled with a fundamental business challenge: extracting ongoing value from its vast database of genetic information. It lacked a continuing business model – once you’d paid for your DNA report, there was very little for you to return for. This one-time purchase problem meant the company had never turned a profit since its founding in 2006, despite initial success and celebrity endorsements like Snoop Dogg, Oprah Winfrey, and Warren Buffett.
These twin failures—inability to protect data adequately while also failing to derive sustainable value from it—stemmed from the same data governance weaknesses. Both reflected a company that had not properly aligned its data security management with its business objectives, creating vulnerabilities in both areas simultaneously.
The Security-Utility Paradox
At the heart of 23andMe’s downfall lies a paradox that challenges all data-driven businesses: valuable data must be simultaneously protected and accessible. This requires a sophisticated database security approach that enables legitimate use while preventing unauthorized access.
Where 23andMe went wrong was in collecting massive amounts of sensitive genetic information without adequate data classification to determine appropriate security levels. The company had amassed a DNA database of 14 million customers, which it had been analyzing with pharmaceutical giant GlaxoSmithKline to try to find medical breakthroughs. Yet this collection occurred without clear strategic parameters for how this data would consistently generate value while remaining secure.
This misalignment manifested in both security vulnerabilities and business model weakness. Without proper classification of data sensitivity and value, the company couldn’t implement tiered security controls that would have protected the most sensitive information while making appropriate data available for innovation.
The Missing Framework: Purpose-Driven Data Governance
What 23andMe critically lacked was a coherent data governance framework connecting business purpose with access controls. Effective data lineage—tracking how information flows through an organization—would have enabled the company to understand both the security implications and business potential of its genetic database.
Harvard Law School’s I. Glenn Cohen observed that while “customers have made the decision to share with 23andMe, from whom they get a lot of benefit, they really have very little say about what will happen should the company be taken over or should the company go bankrupt, and its assets sold.” This disconnect between consumer expectations and corporate data practices revealed the absence of purpose-driven data governance.
Companies that successfully balance security and utility implement data governance tools that maintain tight control over sensitive information while enabling innovation. Such tools ensure that data serves legitimate business purposes while remaining protected from unauthorized access—a balance 23andMe failed to achieve.
Data Stewardship at Scale
Proper data stewardship could have bridged 23andMe’s security-utility gap. Data stewards serve as the human connection between business objectives and security requirements, ensuring that sensitive information is protected while legitimate business needs are met.
Thorough data profiling would have helped 23andMe understand which data assets were most valuable and most sensitive, guiding both security investments and business strategy. Instead, the company found itself with an enormous database that it couldn’t effectively monetize or adequately protect—a clear failure of data stewardship.
The Technology Gap: Precision Access Control
The credential stuffing attack that breached 23andMe revealed significant gaps in the company’s security technology. Modern cloud data security solutions could have prevented this breach while enabling legitimate access to necessary information.
Sophisticated data tokenization techniques would have allowed 23andMe to support research and analytics without exposing sensitive genetic information. By replacing sensitive data elements with non-sensitive equivalents, tokenization maintains data utility while significantly reducing risk. This approach enables the “pinpoint data accessibility precision” that data-driven businesses require—ensuring no one accesses sensitive information without absolute necessity, while guaranteeing that legitimate business needs can be met immediately.
The breach led to significant consequences: a $30 million class action settlement and a notice of intent from the UK’s Information Commissioner’s Office to fine the company £4.59 million. These penalties underscored the costs of failing to implement adequate data security standards.
Rebuilding Trust Through Governance
Perhaps most damaging to 23andMe was its response to the breach, which severely undermined customer trust. The company’s lawyers sent letters appearing to blame customers for the breach because they “negligently recycled and failed to update their passwords.” This approach backfired dramatically, further damaging the company’s reputation.
Just days before the bankruptcy filing, California Attorney General Rob Bonta issued a “consumer alert” regarding the “trove of sensitive consumer data 23andMe has amassed,” reminding Californians they have the right to direct the company to delete their genetic data. This intervention highlighted the growing compliance and risk management challenges facing companies that handle sensitive information.
As Deputy Commissioner Stephen Bonner of the UK ICO stated, “As a matter of UK law, the protections and restrictions of the UK GDPR continue to apply and 23andMe remains under an obligation to protect the personal information of its customers,” even during bankruptcy proceedings. This regulatory oversight emphasizes that data protection obligations continue regardless of a company’s financial circumstances.
The Competitive Advantage of Balanced Data Governance
The 23andMe case illustrates how the ability to balance opportunity and risk creates maximum competitive advantage. Companies that master this balance outperform competitors by both protecting sensitive information and extracting ongoing value from their data assets.
This balanced approach requires:
- Purpose-driven data collection – Only collecting data that serves clear strategic objectives
- Granular access controls – Implementing technology that enables legitimate access while preventing unauthorized use
- Strong data stewardship – Establishing roles and responsibilities for data management
- Technology enablement – Deploying solutions that support both security and utility
While 23andMe struggled with a “one and done” business model, companies with strong data governance can create recurring value from their data assets. This might include diversified revenue streams similar to what 23andMe attempted with direct sales of the genetic testing kits and optional, ongoing subscriptions for premium services plus research partnerships—but with clearer alignment between data collection and sustainable business outcomes.
Conclusion
23andMe’s collapse offers a stark warning about what happens when security and utility are treated as separate concerns rather than aspects of the same challenge. The company collected one of the most valuable data assets imaginable—the genetic information of millions of people—but couldn’t translate that into sustainable business value or adequate protection.
For data-driven businesses to thrive, they must recognize that security and utility are not opposing forces but complementary objectives. Both require purpose-driven governance frameworks that align data practices with strategic goals. Only by mastering this balance can companies unlock the full potential of their data while maintaining the trust of customers and regulators.
The 23andMe case study demonstrates that in today’s data economy, competitive advantage comes not from collecting the most data, but from establishing the most effective governance framework for balancing opportunity and risk. Those who learn this lesson will avoid 23andMe’s fate and instead harness data as a sustainable source of business value.
Data Security Assessment
Don’t let your organization become the next cautionary tale. Take action today to align your data security and strategic utility:
- Assess your current state – Conduct a comprehensive audit of your data assets, their classification, lineage, and governance controls. Identify gaps between security measures and business utility.
- Appoint dedicated data stewards – Establish clear roles and responsibilities for managing the balance between data protection and business value.
- Implement purpose-driven governance – Ensure every data element you collect serves a clear business purpose, with appropriate security controls matched to sensitivity.
- Invest in precision technology – Deploy modern data governance tools that enable granular access controls, data tokenization, and cloud security measures.
- Create a data value roadmap – Develop a clear strategy for generating sustainable value from your data assets while maintaining appropriate protection.
The time to act is now—before your valuable data becomes either a liability through breach or a wasted asset through underutilization. Schedule a demo and transform your data governance into a competitive advantage.
