The state of California has initiated legal action against the genetic testing company previously known as 23andMe, highlighting a significant breach of user data security in 2023. The lawsuit, filed by Attorney General Rob Bonta, points to the company’s failure to safeguard sensitive information, affecting nearly seven million individuals nationwide.
Background of the Legal Action
On Thursday, Attorney General Bonta lodged a lawsuit against Chrome Holding Co., the entity under which 23andMe was rebranded following its bankruptcy filing last March. Known for its DNA testing kits that provide insights into ancestry and health predispositions, 23andMe faces allegations of inadequate data security measures.
The lawsuit seeks multiple civil penalties and injunctions to prevent further violations of California’s stringent privacy protection laws. The company admitted to a significant security breach in 2023, where approximately 14,000 accounts were compromised, leading to the exposure of data from nearly seven million customers. The cyberattack exploited a method known as ‘credential stuffing,’ taking advantage of weak and reused passwords.
Details of the Cybersecurity Breach
According to Bonta’s office, the attack exploited a common vulnerability that businesses should actively guard against. The attackers utilized stolen credentials from a 2017 data breach at MyHeritage, a former partner of 23andMe. Despite this, 23andMe allegedly did not implement standard security measures like password resets or multifactor authentication.
Critically, the security lapses allowed attackers to infiltrate 23andMe’s systems undetected for over five months. The breach only came to light when the stolen data appeared for sale on the dark web, prompting the company to investigate after being contacted by the threat actor demanding a ransom.
Implications and Ongoing Legal Proceedings
In October 2023, the pilfered data surfaced on the dark web, notably including information on 1.1 million consumers identified as Asian-Pacific Islander and Ashkenazi Jewish. Bonta emphasized the grave concerns this posed amid rising anti-Asian and antisemitic sentiments.
The lawsuit asserts that post-breach, 23andMe misled the public regarding the breach’s extent and the company’s involvement. Furthermore, the company reportedly neglected early warnings like increased login attempts and online discussions hinting at a data sale.
California law mandates robust protection for genetic data, and Bonta intervened to ensure compliance during 23andMe’s bankruptcy proceedings. Despite these efforts, the asset sale proceeded without requiring customer consent for data transfers. In 2024, 23andMe agreed to a $50 million settlement to resolve claims from affected U.S. customers, a decision finalized in January.
This case underscores the critical importance of stringent cybersecurity measures, especially for companies handling sensitive genetic information.
