California Attorney General sues 23andMe successor for 2023 data breach

California's Attorney General Rob Bonta has filed a lawsuit against Chrome Holding, the successor to DNA testing firm 23andMe, alleging that the company failed to adequately protect sensitive customer data, resulting in a significant data breach in 2023. The breach exposed genetic predispositions, risk factors, ancestry, ethnicity, and information about biological relatives of nearly seven million users. Bonta stated that the investigation found 23andMe did not implement basic security measures, adding that the company "lied to consumers about the severity of its 2023 data breach." The lawsuit follows 23andMe's rebranding after filing for bankruptcy last year, with Chrome Holding emerging as its successor.

The alleged breach has raised serious concerns due to the subsequent sale of user data on the dark web, which threat actors specifically marketed as belonging to Asian American Pacific Islanders (AAPI) and Jewish users. Bonta described this as "disturbing and incredibly dangerous," particularly given the timing amid rising anti-Asian American and Pacific Islander and antisemitic hate and violence. The breach occurred through a "credential stuffing" attack, where hackers exploited passwords exposed in previous breaches to gain access to 23andMe accounts using similar credentials.

The 2023 data breach has drawn international regulatory scrutiny, including a £2.31 million fine from the UK’s Information Commissioner’s Office (ICO) last year. The ICO found that 23andMe failed to implement adequate security measures to protect sensitive user data, with the personal data of 155,592 UK residents accessed in the breach. Under UK data protection law, genetic data is classified as a special category requiring heightened protections, and the ICO determined that 23andMe violated these laws by not enforcing proper authentication and verification measures during login processes. The investigation was conducted in coordination with Canada’s privacy commissioner.

23andMe has faced additional scrutiny over issues related to user privacy and account deletions, particularly after filing for Chapter 11 bankruptcy protection last year. Some users expressed concerns that their data could be sold to insurance companies, potentially affecting their coverage eligibility. Founded by Anne Wojcicki, the company once counted high-profile figures like Snoop Dogg, Oprah Winfrey, and Eva Longoria among its customers. Its share price once exceeded $300 at its peak before plummeting in 2024. The lawsuit underscores the growing concerns around genetic data privacy and the responsibilities of companies handling such sensitive information.