Photo Credit: Getty Images
California Attorney General Rob Bonta announced on Thursday that he will sue DNA testing firm Chrome Holding, alleging that its predecessor company, 23andMe, failed to safeguard sensitive customer data. According to Bonta, this security failure led to a 2023 data breach that exposed the genetic predispositions, health risk factors, ancestry, and biological relative information of nearly seven million users. The Attorney General stated that the company failed to implement basic security measures and subsequently lied to consumers about the severity of the hack.
The company was rebranded after 23andMe filed for bankruptcy last year.
Bonta also alleges the subsequent sale of 23andMe user data on the dark web by threat actors specifically touted that it belonged to Asian American Pacific Islanders (AAPI) and Jewish users
"This is disturbing and incredibly dangerous" given it occurred during a period of "mounting anti-Asian American and Pacific Islander and antisemitic hate and violence," Bonta said.
Users were targeted by a so-called "credential stuffing" attack in which hackers used passwords exposed in previous breaches to access 23andMe accounts for which people had used similar credentials.
The 2023 data breach has resulted in international regulatory scrutiny for the company.
Last year, it was fined £2.31m by the Information Commissioner's Office (ICO), a UK watchdog, which alleged 23andMe failed to put adequate measures in place to secure sensitive user data prior to the incident. The ICO said personal data of 155,592 UK residents was accessed
The company has said it has "made several binding commitments to enhance protections for customer data and privacy."
Under UK data protection law, genetic data is considered a special category of data and requires further protections and safeguards due to its sensitive nature.
The ICO's probe was conducted in coordination with Canada's privacy commissioner and found 23andMe violated UK law by failing to implement appropriate authentication and verification measures for customers during its login process.
23andMe was cofounded by Anne Wojcicki, sister of the late YouTube boss Susan Wojcicki and ex-wife of Google co-founder Sergey Brin.
