California Sues 23andMe Over 2023 Data Breach, Exposing Millions of Users

California's top prosecutor is suing 23andMe, the popular genetic testing service, over its handling of a massive data breach that exposed the sensitive information of millions of users. Attorney General Rob Bonta announced the lawsuit, alleging that the company, now operating as Chrome Holding Co., failed to implement adequate security measures, ultimately leading to the exposure of genetic data, health predispositions, and personal details for approximately 6.9 million customers.

The breach came to light in October 2023 when malicious actors began offering stolen data for sale on the dark web. 23andMe confirmed the authenticity of the leaked information, attributing the incident to a credential-stuffing attack that exploited weak passwords on user accounts. The attackers were able to access data from users who utilized the platform's 'DNA Relatives' feature, and subsequently gained access to a much larger pool of accounts that did not use this specific function.

Security Failures and Misleading Statements

Bonta's lawsuit specifically targets 23andMe's alleged failure to protect against credential-stuffing attacks. The complaint states that the company missed multiple opportunities to detect the intrusion and did not address a coding error within the 'DNA Relatives' feature that contributed to the widespread breach. Beyond the security lapses, the Attorney General also highlighted what he described as misleading public statements made by 23andMe both before and after the incident. The company reportedly claimed high security standards prior to the breach, and later attempted to minimize the severity of the leak by suggesting the exposed data was largely public and that its systems themselves were not compromised.

These alleged actions are said to have violated several California laws, including the Genetic Information Privacy Act, the Reasonable Data Security Law, the Consumer Privacy Act (CCPA), the False Advertising Law, and the Unfair Competition Law. The lawsuit seeks an injunction to prevent future violations and is pursuing statutory penalties ranging from $1,000 to $7,500 per violation.

A Wave of Scrutiny and Financial Trouble

This legal action from California adds to a growing list of challenges faced by 23andMe. By the end of 2023, the company was already entangled in multiple lawsuits stemming from the breach. Early in 2024, national data protection authorities initiated investigations that resulted in significant fines, a turn of events that ultimately led 23andMe to file for bankruptcy. The current lawsuit highlights the significant risks associated with handling vast amounts of sensitive personal and genetic data, especially in the face of evolving cybersecurity threats.

The Attorney General argues that 23andMe's failure to implement reasonable safeguards directly led to the exposure of highly sensitive genetic and personal information for millions of users.

Context:

The European Union has been at the forefront of data privacy regulation with the General Data Protection Regulation (GDPR), which imposes strict rules on how companies collect, process, and store personal data, including sensitive information like genetic data. While 23andMe is a US-based company, such breaches often draw international attention and can influence regulatory approaches globally. The company's bankruptcy filing also underscores the precarious financial position many tech companies can find themselves in when facing significant data security failures and subsequent legal liabilities.

What this means for you:

If you are a 23andMe customer, this lawsuit is another reminder of the importance of data security and the potential legal ramifications when companies fail to protect your information. The penalties sought could impact 23andMe's restructuring efforts. You should remain vigilant about any potential identity theft or misuse of your personal and genetic data. Keep an eye on updates regarding the bankruptcy proceedings and any potential impact on your data rights.

What's still unclear:

• The exact amount of financial penalty 23andMe might face, beyond the statutory ranges cited.
• Whether the bankruptcy proceedings will affect the outcome or enforcement of this specific lawsuit.
• The extent to which 23andMe's security protocols have been fundamentally altered post-breach and post-bankruptcy filing.

Why this matters:

California sues 23andMe over massive data leak, adding legal pressure amid bankruptcy. This lawsuit amplifies the regulatory and legal scrutiny on 23andMe following a significant data breach, potentially impacting its recovery and setting a precedent for how companies handling sensitive genetic data are held accountable for security failures.