Breach

California sues 23andMe over 2023 data breach

A logo sign outside of the headquarters of 23andMe.

California Attorney General Rob Bonta has filed a lawsuit against 23andMe, now known as Chrome Holding Co., alleging failures to protect sensitive customer genetic and personal information. This action follows a significant data breach in 2023 that exposed the data of nearly 7 million individuals, including over 850,000 Californians, with further coverage provided by Bleeping Computer.

The lawsuit stems from a credential-stuffing attack in October 2023, where threat actors exploited weak user credentials to access accounts. Initially targeting users of the "DNA Relatives" feature, the attackers subsequently gained access to a much larger dataset. In total, approximately 6.9 million customers had their genetic data, health predispositions, ancestry information, and DNA matches compromised. The California Attorney General's complaint asserts that 23andMe failed to implement adequate security safeguards, missed opportunities to detect the intrusion, and had a coding error in its "DNA Relatives" feature that facilitated the breach. The suit also cites misleading public statements made by the company before and after the incident.

These alleged violations of state laws, including the California Genetic Information Privacy Act and CCPA, could result in penalties of $1,000 to $7,500 per violation. The company had previously faced multiple lawsuits and multi-million dollar fines from national data protection authorities, leading to its bankruptcy filing.

Source: Bleeping Computer

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Attack Vector

You can skip this ad in 5 seconds