California Attorney General Sues Chrome Holding Over 2023 23andMe Data Breach

California Attorney General Rob Bonta announced a lawsuit against Chrome Holding, the successor to DNA testing firm 23andMe, following a probe that concluded the company failed to safeguard sensitive customer data.

Bonta stated that the lapse resulted in a 2023 data breach which exposed genetic predispositions, risk factors, and information on biological relatives, ancestry, and ethnicity for nearly seven million users. “Our investigation found that the company failed to take basic steps to protect users’ data,” Bonta asserted, adding that 23andMe “lied to consumers about the severity of its 2023 data breach.”

The Attorney General’s office further alleges that data belonging to Asian American Pacific Islanders and Jewish users was specifically touted and sold by threat actors on the dark web. Bonta described this as “disturbing and incredibly dangerous,” particularly “given it occurred during a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence.”

The breach occurred via a “credential stuffing” attack, where hackers exploited passwords from previous breaches to access 23andMe accounts where users had recycled login details. This incident has drawn international regulatory scrutiny.

Last year, the UK’s Information Commissioner’s Office (ICO) fined 23andMe £2.31m, citing a failure to implement adequate data security measures prior to the incident, which saw personal data of 155,592 UK residents compromised. The ICO’s probe, conducted with Canada’s privacy commissioner, found 23andMe violated UK law by not employing appropriate authentication and verification processes during login.

Genetic data is classified as a special category under UK data protection law, necessitating enhanced protections. Chrome Holding states it has “made several binding commitments to enhance protections for customer data and privacy.”