California attorney general sues 23andMe successor over 2023 data breach

The Californian Advocate General sues the successor of 23andMe for data violation in 2023

California's General Attorney Rob Bonta has announced that he will sue the DNA test company Chrome Holding after an investigation on Thursday and claims its predecessor 23andMe has failed to protect sensitive customer data.

Bonta said that the error has led to a data breach in 2023 that revealed genetic predispositions and risk factors of almost seven million users, as well as information about biological relatives, origins and ethnicity.

“Our investigation revealed that the company has failed to take basic measures to protect user data,” said Bonta, adding that 23andMe “directed consumers to the severity of data breach in 2023.”

The BBC has asked Chrome Holding for a comment.

The company was renamed after 23andMe filed insolvency last year.

Bonta also anticipates the subsequent sale of 23andMe user data on the Dark Web by threat activists and expressly stated that these are by Asian-American Pacificinsulans (AAPI) and Jewish users.

“This is disturbing and incredibly dangerous,” as it happened in a time of “receiving anti-Asian-American and Pacific islanders and anti-Semitic hatred and violence,” Bonta said.

Users were victims of a so-called “Credential Stuffing” attack where hackers used passwords disclosed in previous violations to access 23andMe accounts for which other similar credentials had used.

The data breach in 2023 led to an international regulatory audit by the company.

Last year, the Information Commissioner's Office (ICO), a British supervisory authority, imposed a fine of £2.31 million, because 23andMe had not taken appropriate measures to protect sensitive user data before the incident.

According to the ICO, the personal data of 155,592 inhabitants of the United Kingdom were accessed.

The company said it had made “more binding commitments to improve the protection of customer data and privacy.”

The ICO investigation was conducted in consultation with the Canadian data protection officer and showed that 23andMe has violated British law by not implementing suitable authentication and verification measures for customers during the registration process.

23andMe came back to criticism last year when users reported difficulties in deleting their accounts, after the company had applied for bankruptcy protection in accordance with Chapter 11, in order to sell itself in a judicially supervised procedure.

Some users then expressed concerns about the prospect that insurance companies would buy their data and use them to decide whether they provide insurance protection.

23andMe was born by Anne Wojcicki, sister of the late YouTube-Chefin Susan Wojcicki and ex-wife of Google- Co-founder Sergey Brin, co-founded.

The company once counted Snoop Dogg, Oprah Winfrey and Eva Longoria among its customers and recorded a share price of over $300 at its peak before it crashed in 2024.