California AG Sues 23andMe Over 2023 Breach Exposing Health Data
California AG Sues 23andMe Over 2023 Breach Exposing Health Data
California Attorney General Rob Bonta has filed a lawsuit against 23andMe, now known as Chrome Holding Co., due to the company’s failure to protect sensitive customer genetic and personal information. 🚨
The lawsuit stems from a significant data breach that occurred in 2023, which exposed the sensitive information of nearly 7 million customers, including 855,541 Californians. The breach was revealed in October 2023 when threat actors attempted to sell a large number of records stolen from 23andMe and leaked data samples to prove the authenticity of the information. The company confirmed that the leaked data was genuine, claiming it was extracted following a credential-stuffing attack targeting accounts with weak credentials.
It became evident that the attackers had exfiltrated data from users who opted into the platform’s ‘DNA Relatives’ feature, and subsequently accessed a much larger set of accounts that did not use this feature. In total, the incident exposed data of approximately 6.9 million customers, including genetic data, health predisposition information, ancestry and ethnicity information, biological relatives, and DNA matches.
By the end of 2023, 23andMe was already facing multiple lawsuits. In early 2024, national data protection authorities launched investigations that ultimately resulted in multi-million-dollar fines, leading the company to file for bankruptcy. The latest lawsuit filed by AG R. Bonta claims that 23andMe failed to implement reasonable safeguards against credential-stuffing attacks, missed multiple opportunities to detect the intrusion, and failed to catch a coding error in the DNA Relatives feature that led to the widespread breach.
In addition to these data protection failures, Bonta highlights the misleading public statements made by 23andMe before and after the incident. The firm claimed prior to the breach that its security met high standards. After the breach, it attempted to downplay the severity of the incident, suggesting that the exposed data was largely public and blaming customers for password reuse, stating that its systems had not been breached.
Overall, the Attorney General argues that these actions violated several state laws, including the California Genetic Information Privacy Act, the California Reasonable Data Security Law, the California Consumer Privacy Act (CCPA), the False Advertising Law, and the Unfair Competition Law. The complaint seeks an injunction to prevent any further violations of these laws, including the imposition of statutory penalties ranging from $1,000 to $7,500 per violation, depending on the case.