California Attorney General Rob Bonta has filed a lawsuit against genetic testing company 23andMe, now operating as Chrome Holding Co., alleging the company failed to adequately protect sensitive customer genetic and personal information prior to a major data breach that exposed millions of users.
The lawsuit stems from the 2023 cyberattack that compromised the personal and genetic data of approximately 6.9 million customers, including more than 855,000 California residents.
2023 Data Breach Exposed Sensitive Genetic Information
The security incident first became public in October 2023 when cybercriminals began advertising stolen 23andMe customer records for sale online. To verify the authenticity of the data, attackers released samples of the stolen information and later leaked larger portions of the dataset.
23andMe subsequently confirmed that the leaked data was genuine and attributed the breach to a credential-stuffing attack, a technique in which attackers use previously stolen usernames and passwords to gain access to accounts with weak or reused credentials.
However, investigators later discovered that the attack extended beyond individual account compromises.
DNA Relatives Feature Played a Key Role
According to reports, attackers initially gained access to accounts enrolled in 23andMe’s “DNA Relatives” feature, a service that allows users to connect with genetic relatives.
Through this feature, threat actors were able to access information linked to a much larger group of users, including many who had not enabled the DNA Relatives option themselves.
As a result, the breach exposed highly sensitive information, including:
- Genetic profile data
- Health predisposition information
- Ancestry and ethnicity details
- DNA match information
- Biological relative connections
- Personal account information
The scale and nature of the exposed data made the incident one of the most significant genetic privacy breaches in recent years.
Attorney General Alleges Multiple Security Failures
The lawsuit alleges that 23andMe failed to implement reasonable cybersecurity measures to prevent credential-stuffing attacks and missed several opportunities to identify and stop the intrusion before it escalated.
California’s Attorney General also claims the company failed to detect a coding flaw within the DNA Relatives feature that enabled attackers to access a significantly broader pool of customer information.
According to the complaint, these shortcomings directly contributed to the widespread exposure of customer data.
Misleading Statements Under Scrutiny
In addition to the alleged security failures, the lawsuit accuses 23andMe of making misleading public statements regarding its cybersecurity practices.
Before the breach, the company reportedly promoted its security controls as meeting high industry standards. Following the incident, 23andMe allegedly attempted to minimize the seriousness of the breach by suggesting that much of the exposed information was already publicly accessible.
The complaint also highlights statements in which the company placed responsibility on customers for reusing passwords while maintaining that its own systems had not been directly breached.
California regulators argue that these statements may have misled consumers about the true nature and severity of the incident.
Alleged Violations of California Privacy Laws
Attorney General Bonta’s lawsuit claims that 23andMe violated several California laws, including:
- California Genetic Information Privacy Act (GIPA)
- California Consumer Privacy Act (CCPA)
- California Reasonable Data Security Law
- California False Advertising Law
- California Unfair Competition Law
The state is seeking court orders to prevent future violations and may pursue statutory penalties ranging from $1,000 to $7,500 per violation, depending on the circumstances.
Ongoing Bankruptcy and Data Sale Concerns
The legal action comes amid broader concerns surrounding 23andMe’s financial difficulties and bankruptcy proceedings.
According to the Attorney General’s office, a separate legal dispute remains ongoing regarding the proposed sale of Californians’ genetic information and biological materials as part of bankruptcy-related proceedings.
Privacy advocates have raised concerns about how sensitive genetic data could be handled during the company’s restructuring process.
Key Takeaway
The lawsuit against 23andMe highlights growing regulatory scrutiny over how organizations collect, store, and protect genetic information. As genetic testing services continue to gain popularity, the case underscores the importance of robust cybersecurity measures and transparency when handling highly sensitive personal data.
The outcome of the lawsuit could have significant implications for data privacy standards across the genetic testing and healthcare industries.
