California sues 23andMe, alleging it failed to protect user data in 2023 breach
LOS ANGELES (AP) — California's attorney general sued the genetic testing company formerly known as 23andMe on Thursday, alleging it failed to protect sensitive user data in a 2023 breach that affected nearly 7 million people across the country.
Attorney General Rob Bonta filed the lawsuit against Chrome Holding Co., which 23andMe rebranded under after filing for bankruptcy last March. 23andme is known for its direct-to-consumer DNA test kits that provided customers information on their ancestry and genetic predispositions for certain health conditions.
The lawsuit calls for various civil penalties against 23andMe and injunctions blocking the company from further violations of California’s privacy protection laws.
The company has acknowledged that it suffered a major security breach in 2023 that resulted in about 14,000 accounts accessed, through which they were able to steal the data of nearly 7 million customers. The cyberattack utilized “credential stuffing," which takes advantage of customers' tendency to use weak or common passwords or reuse passwords between multiple accounts.
Bonta's office said this was a well-known attack that businesses should know to guard against. The attackers used stolen user account credentials including ones from a massive data breach in October 2017 that affected MyHeritage, one of 23andMe’s former partners. After that breach, 23andMe did not take common protocols such as asking customers to reset their passwords or use multifactor authentication.
23andMe did not immediately respond to an emailed request for comment.
“23andMe’s security measures were so lax that the threat actor was able to operate undetected within 23andMe’s systems for over five months, and remarkably, 23andMe only began investigating after the threat actor offered the stolen user data for sale on the dark web and reached out to 23andMe to demand a ransom,” prosecutors said in the complaint.
In October 2023, the stolen data appeared for sale on the dark web, with the poster specifically touting that about 1.1 million consumers’ data belonged to Asian-Pacific Islander and Ashkenazi Jewish users.
“The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence,” Bonta said in a press release. “This is disturbing and incredibly dangerous.”
Some of the data stolen included raw genetic data, health reports, DNA shared with other relatives, and locations and birth years of relatives.
The lawsuit says that after notifying the public about the breach, 23andMe continued to mislead consumers about the severity of the breach and the company's role in it.
The company has said it only found out about the breach in October 2023 when the stolen data was posted for sale on the dark web. However, the lawsuit said the company failed to properly investigate red flags that appeared months earlier, such as a “suspicious spike in user login attempts” in July and a Reddit post discussing a possible breach and sale of user data in August.
Genetic data requires “one of the highest levels of protection” and California law “mandates a heightened legal obligation” to protect it, the lawsuit said.
Bonta also intervened to ensure customers' genetic data wouldn't be mishandled during 23andMe's Chapter 11 bankruptcy and asset sale, arguing that California's Genetic Information Privacy Act required companies to obtain opt-in consent from customers before selling their genetic information to third parties. However, the sale was allowed to proceed.
In 2024, 23andMe agreed to pay a $30 million settlement in a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed in the breach. The amount was raised to $50 million to resolve most U.S. customer claims and received final approval in January by a federal judge overseeing 23andMe's bankruptcy.
© Copyright The Associated Press. All rights reserved. The information contained in this news report may not be published, broadcast or otherwise distributed without the prior written authority of The Associated Press.
