California Attorney General Sues Chrome Holding Over 2023 23andMe Data Breach
California Attorney General Rob Bonta has announced a lawsuit against Chrome Holding, the successor firm to DNA testing company 23andMe. The legal action follows an investigation revealing that 23andMe allegedly neglected to protect sensitive customer data, resulting in a substantial breach in 2023.
The breach reportedly exposed genetic predispositions, risk factors, biological relatives, ancestry, and ethnicity for nearly seven million users. Mr Bonta stated, “Our investigation found that the company failed to take basic steps to protect users’ data,” further alleging that 23andMe “lied to consumers about the severity of its 2023 data breach.” Chrome Holding was rebranded after 23andMe filed for bankruptcy last year.
Mr Bonta also highlighted the disturbing sale of 23andMe user data on the dark web, where threat actors specifically advertised it as belonging to Asian American Pacific Islanders (AAPI) and Jewish users. He described this targeting as “incredibly dangerous” during a period of “mounting anti-Asian American and Pacific Islander and antisemitic hate and violence.”
The breach was attributed to a “credential stuffing” attack, where hackers exploited passwords exposed in previous data incidents to access 23andMe accounts where users had recycled login details. This incident has drawn international regulatory scrutiny for the company.
Last year, the UK’s Information Commissioner’s Office (ICO) fined 23andMe £2.31m. The ICO concluded that the company failed to implement adequate measures to secure sensitive user data prior to the breach, which affected the personal data of 155,592 UK residents. Under UK data protection law, genetic information is classified as a special category of data, necessitating enhanced protections. The ICO’s probe, conducted in collaboration with Canada’s privacy commissioner, found that 23andMe breached UK law by not employing appropriate authentication and verification protocols during its login process.
Concerns were further raised last year when users reported difficulties deleting their accounts after 23andMe sought Chapter 11 bankruptcy protection. Some users voiced apprehensions that insurance companies might acquire their data to inform coverage decisions.
