Dive Brief:
- California’s attorney general filed a lawsuit Wednesday against the genetic testing company formerly known as 23andMe following a 2023 data breach that affected nearly 7 million people.
- The complaint, filed in the San Francisco Superior Court against Chrome Holding Co., alleges 23andMe failed to implement reasonable security procedures and made misleading statements about its security and the data breach. 23andMe restructured as Chrome Holding last year as it went through the Chapter 11 bankruptcy process. Chrome Holding did not respond to a request for comment as of press time.
- Civil penalties imposed on the company could be in the “multiple millions,” California Attorney General Rob Bonta said in a Thursday press conference. The attorney general claims that 23andMe violated the Genetic Information Privacy Act, the California Consumer Privacy Act and other laws.
Dive Insight:
23andMe first reported the data breach in October 2023. In December, the company confirmed that hackers had been able to access ancestry data of about 6.9 million people — nearly half of its reported customers at the time, according to TechCrunch.
“This wasn’t just exposed usernames and user preferences, it was consumers’ sensitive personal information and data related to consumers‘ health, genetic predispositions, and risk factors, biological relatives, ancestry, and ethnicity,” Bonta said.
According to the lawsuit, a threat actor used “credential stuffing,” a type of cyberattack that exploits re-used passwords, to gain access to customers’ 23andMe accounts. The threat actor was then able to exploit a coding error in 23andMe’s DNA Relatives feature, which allows customers to opt in to see what other participating users they are related to, to steal additional data.
Customer data appeared for sale on the dark web in October 2023, with the poster advertising that 1.1 million consumers’ data belonged to Asian-Pacific Islander and Ashkenazi Jewish users, according to the complaint.
“This data breach and the company’s handling of it was entirely unacceptable, and it also came at a deeply troubling time,” Bonta said, adding that it was “during the same time as a disturbing increase in anti-AAPI and anti-Semitic hate and violence in our nation.”
According to the lawsuit, the threat actor was able to operate undetected in 23andMe’s systems for more than five months, and the company only began investigating after the actor offered the stolen user data on the dark web and demanded a ransom from 23andMe. 23andMe did not implement security measures, such as a global password reset, until Oct. 10, 2023, and did not require multifactor authentication until November 2023, according to the complaint.
California is seeking a civil penalty of $1,000 for each violation of the Genetic Information Privacy Act, and those penalties would flow to victims under the statute, Bonta said. The state is also seeking a penalty of $2,500 for each violation of the California Consumer Privacy Act, and $7,500 for each intentional violation of the California privacy law and violations involving minors’ personal information.
23andMe filed for Chapter 11 bankruptcy in March 2025, citing falling demand for tests and legal liabilities from the breach.
Last year, a judge approved the sale of 23andMe to a nonprofit created by the company’s former CEO and founder, Anne Wojcicki, called the TTAM Research Institute (or the 23andMe Research Institute). California and four other states opposed the sale, saying it would violate their genetic privacy statutes because 23andMe did not plan to seek opt-in consent from every customer in their states. That challenge, which is separate from Thursday’s lawsuit, is still pending, Bonta said.
The attorney general confirmed that the state would need to work through the bankruptcy to collect any civil penalties obtained.
