California Attorney General sues 23andMe successor for 2023 data breach
California Attorney General sues 23andMe successor for 2023 data breach
A New Legal Battle Over Sensitive Data Security
California Attorney General sues 23andMe successor – California Attorney General Rob Bonta has announced plans to initiate legal action against Chrome Holding, the DNA testing firm that assumed control of 23andMe following its bankruptcy. The lawsuit stems from an investigation that revealed the company’s predecessor, 23andMe, had failed to adequately safeguard customer data, resulting in a major breach in 2023. This incident exposed the genetic profiles and health risks of nearly seven million individuals, along with details about their biological relatives, ancestry, and ethnic background.
Investigation Highlights Systemic Data Vulnerabilities
Bonta’s probe uncovered that 23andMe neglected essential data protection protocols, leaving users’ information at risk. The attorney general stated that the company misled consumers regarding the seriousness of the breach, downplaying its potential consequences. “Our investigation found that the company failed to take basic steps to protect users’ data,” he emphasized, noting that the breach was compounded by the sale of user data on the dark web, which was specifically marketed to Asian American Pacific Islanders (AAPI) and Jewish communities.
“
This is disturbing and incredibly dangerous,” Bonta said, highlighting the timing of the breach amid a surge in anti-Asian American and Pacific Islander and antisemitic hate and violence. The targeting of these groups through data exposure raises concerns about potential discrimination and misuse of sensitive information.
How the Breach Occurred: A Credential Stuffing Attack
The breach was facilitated by a technique known as “credential stuffing,” where hackers exploited passwords from prior data leaks to access 23andMe accounts. Users who had reused similar login credentials for other platforms became vulnerable, allowing unauthorized access to their genetic data. This method exposed not only individual profiles but also familial connections, creating a ripple effect of privacy risks for entire households.
Global Regulatory Scrutiny and Financial Consequences
The 2023 incident has drawn international attention, prompting regulatory bodies to examine the company’s data security practices. In the UK, the Information Commissioner’s Office (ICO) fined 23andMe £2.31 million last year, citing its failure to secure sensitive user data before the breach. The ICO alleged that the company did not implement sufficient authentication and verification measures during the login process, violating UK data protection laws.
Genetic data is classified as a special category under UK regulations, requiring stricter safeguards due to its potential to reveal deeply personal information. The ICO’s investigation was conducted in collaboration with Canada’s privacy commissioner, confirming that 23andMe’s practices fell short of legal standards, affecting 155,592 UK residents.
The Rebranding and Legal Transition
Chrome Holding, which rebranded the company after 23andMe filed for bankruptcy, now faces legal repercussions for its predecessor’s lapses. The transition occurred last year, when the firm sought Chapter 11 protection to facilitate a court-supervised sale. Despite the rebranding, the core issues of data security and transparency remain unresolved, with the new entity being held accountable for the actions of its former parent company.
User Concerns and Broader Implications
The breach has reignited public concern about how genetic data is handled by private firms. At the time of the incident, some users worried about insurance companies using the data to assess risk and deny coverage. This fear underscores the growing importance of protecting biometric and health-related information in an era where digital footprints can be exploited for commercial or discriminatory purposes.
Bonta’s legal action also focuses on the company’s lack of accountability. He argued that 23andMe’s failure to secure data created a chain of responsibility, implicating its successor in the breach. The lawsuit seeks to enforce stricter data protection standards and ensure that users are informed about the risks associated with sharing their genetic information.
Historical Context and Corporate Evolution
23andMe, founded in 2006, has a storied history in the genetic testing industry. It was co-founded by Anne Wojcicki, the sister of the late YouTube CEO Susan Wojcicki and the ex-wife of Google co-founder Sergey Brin. The company gained fame for its celebrity clientele, including Snoop Dogg, Oprah Winfrey, and Eva Longoria, and once saw its stock price peak at over $300 per share. However, the 2023 breach marked a significant setback, leading to a sharp decline in its market value.
The Role of the Dark Web in Expanding the Breach
One of the most alarming aspects of the 2023 breach was the sale of user data on the dark web. Cybercriminals specifically highlighted the genetic information of AAPI and Jewish users, drawing attention to the potential for targeted attacks. This practice not only exposed personal data but also created opportunities for identity theft, genetic profiling, and even social engineering schemes.
Bonta pointed out that the breach’s impact was magnified by the specificity of the data sold. “The fact that threat actors emphasized the vulnerability of AAPI and Jewish communities during this period is particularly troubling,” he said. The combination of data exposure and rising hate crimes has raised questions about the role of corporations in protecting marginalized groups from digital threats.
Reactions and Ongoing Legal Challenges
Following the announcement of the lawsuit, the BBC requested comment from Chrome Holding, but the company has yet to respond. The legal battle adds to the mounting pressure on the firm, which has already faced penalties from the ICO and other regulatory bodies. Bonta’s allegations underscore the need for stronger accountability mechanisms, especially in the genetic data sector where breaches can have life-changing consequences for individuals and families.
The case also highlights the challenges of transitioning companies through bankruptcy. While 23andMe aimed to streamline its operations, the process left users questioning whether their data would be protected in the new ownership structure. This uncertainty has fueled calls for more robust data governance frameworks to prevent similar incidents in the future.
Genetic Data and the Need for Enhanced Safeguards
Under UK law, genetic data is considered a special category, necessitating additional protections beyond standard data security measures. The ICO’s findings emphasize that 23andMe’s breach was not an isolated incident but a result of systemic failures. These failures include inadequate encryption, weak authentication processes, and insufficient monitoring of user activity, which collectively allowed the data to be accessed and sold without consent.
The rebranding of 23andMe under Chrome Holding has not erased the legacy of these lapses. Bonta’s lawsuit serves as a reminder that companies must uphold data protection standards even during periods of financial restructuring. The legal action also signals a broader trend of holding successor firms accountable for the actions of their predecessors, particularly in cases involving sensitive information.
Looking Ahead: A Call for Stronger Data Protection
As the legal case progresses, it will serve as a critical test of data protection laws and their enforcement. The breach of 2023 has exposed vulnerabilities in how genetic data is stored and shared, prompting a reevaluation of privacy practices in the industry. Experts argue that companies must adopt more transparent policies and invest in advanced security technologies to prevent future breaches.
Bonta’s office has also called for improved public awareness about the risks of genetic data exposure. The case illustrates how a single breach can have far-reaching consequences, affecting not just individuals but also their relatives and ethnic communities. With the increasing reliance on genetic testing for health and ancestry insights, ensuring data privacy has never been more urgent.
Sign up for our Tech Decoded newsletter to follow the world’s top tech stories and trends. Outside the UK? Sign up here.
