California AG sues 23andMe over 2023 breach exposing health data
by Bill Toulas · BleepingComputerCalifornia Attorney General Rob Bonta filed a lawsuit against 23andMe, now Chrome Holding Co., over the company’s failure to protect sensitive customer genetic and personal information.
Improper security led to a high-profile data breach in 2023 that exposed the sensitive information of nearly 7 million customers, including 855,541 Californians.
The incident came to light that year in October, after threat actors offered to sell a large number of records stolen from 23andMe, and leaked data samples (and later larger parts of the dataset) to prove the authenticity of the information.
The California-based company confirmed that the leaked data was genuine and claimed that it had been extracted following a credential-stuffing attack targeting accounts with weak credentials.
Soon, it became clear that the attackers had exfiltrated data from users opting into the platform's 'DNA Relatives' feature, and then accessed a second, much larger set of accounts that didn’t use the feature.
In total, the incident exposed data of roughly 6.9 million customers, including genetic data, health predisposition information, ancestry and ethnicity information, biological relatives, and DNA matches.
By the end of 2023, the company was already facing multiple lawsuits. In early 2024, national data protection authorities launched investigations that ultimately resulted in multi-million-dollar fines, leading the company to file for bankruptcy.
The latest lawsuit filed by AG R. Bonta claims that 23andMe failed to implement reasonable safeguards against credential-stuffing attacks, missed multiple opportunities to detect the intrusion, and failed to catch the coding error in DNA Relatives that led to the widespread breach.
In addition to the data protection failures, Bonta also underlines the misleading public statements 23andMe made before and after the incident.
Specifically, the firm claimed before the incident that its security met high standards. After the breach, it attempted to downplay the incident's severity, suggesting that the exposed data was largely public, and blamed customers for password reuse, stating that its systems had not been breached.
Overall, the Attorney General argues that these actions violated several state laws, including the California Genetic Information Privacy Act, the California Reasonable Data Security Law, the California Consumer Privacy Act (CCPA), the False Advertising Law, and the Unfair Competition Law.
The complaint seeks an injunction to prevent any further violations of the above, including the imposition of statutory penalties of $1,000-$7,500 per violation, depending on the case.
The AG announcement notes that the bankruptcy dispute regarding the proposed sale of Californians' genetic data and biological materials is a separate proceeding.
The Validation Gap: Automated Pentesting Answers One Question. You Need Six.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.