Companies Economy Markets

California Attorney General to Sue 23andMe Successor Over 2023 Data Breach

California Attorney General Rob Bonta is suing 23andMe’s successor, Chrome Holding, alleging the company failed to protect sensitive customer data in a 2023 breach that exposed millions of users’ genetic information.

Flavor News Editorial Desk 3 min read
California Attorney General Rob Bonta announced a lawsuit against 23andMe's successor company over a 2023 data breach.
California Attorney General Rob Bonta announced a lawsuit against 23andMe's successor company over a 2023 data breach.

Market impact

The lawsuit by California's Attorney General against 23andMe's successor highlights significant data security failures and potential misuse of sensitive genetic information.

Why it matters: The legal action underscores the critical need for robust data protection measures, especially for highly sensitive genetic information, and raises concerns about the security practices of direct-to-consumer genetic testing companies.

Key numbers

  • 2023
  • seven million
  • £2.31m
  • 155,592
  • Chapter 11
  • $256m
  • $300

Watch next

  • Data security regulations
  • Consumer privacy
  • Genetic data handling
  • Company bankruptcy proceedings
Technology Healthcare 23andMe Chrome Holding Information Commissioner's Office (ICO)

California Attorney General Rob Bonta announced his intention to sue Chrome Holding, the successor company to 23andMe, over allegations that its predecessor failed to adequately protect sensitive customer data. The lawsuit stems from a significant data breach in 2023, which exposed the genetic predispositions, risk factors, and personal information of nearly seven million users, including details about their biological relatives, ancestry, and ethnicity.

"Our investigation found that the company failed to take basic steps to protect users' data," Bonta stated. He further alleged that 23andMe "lied to consumers about the severity of its 2023 data breach." The company has since been rebranded following its Chapter 11 bankruptcy filing last year.

Further compounding the concerns, Bonta alleges that threat actors subsequently sold user data from the breach on the dark web. These illicit sales specifically advertised data belonging to Asian American Pacific Islanders (AAPI) and Jewish users. Bonta described this as "disturbing and incredibly dangerous," particularly given the rise in anti-AAPI and antisemitic hate and violence during that period.

The 2023 breach reportedly occurred through a "credential stuffing" attack, where hackers utilized passwords compromised in previous data incidents to gain access to 23andMe accounts that used similar login credentials. This incident has led to international regulatory scrutiny for the company.

In the UK, the Information Commissioner's Office (ICO) fined 23andMe £2.31 million last year, alleging the company had not implemented adequate security measures for sensitive user data prior to the breach. The ICO confirmed that personal data belonging to 155,592 UK residents was accessed. The ICO's investigation, conducted in conjunction with Canada's privacy commissioner, found that 23andMe violated UK law by not employing appropriate authentication and verification processes for customer logins.

This is not the first time 23andMe has faced scrutiny. Last year, users reported difficulties in deleting their accounts after the company sought Chapter 11 bankruptcy protection to facilitate a sale. At that time, concerns were raised about the potential for insurance companies to acquire user data and use it to influence coverage decisions.

23andMe, co-founded by Anne Wojcicki, once boasted prominent customers like Snoop Dogg, Oprah Winfrey, and Eva Longoria. The company's stock price reached a high of over $300 at its peak before experiencing a significant decline in 2024. The company is slated to be acquired for $256 million.