California Attorney General Rob Bonta has announced a lawsuit against DNA testing firm Chrome Holding following an investigation into its predecessor company 23andMe’s handling of customer data.
Bonta alleges that 23andMe failed to protect sensitive customer data, resulting in a 2023 breach that exposed the genetic predispositions and risk factors of nearly seven million users.
The breach also exposed information about biological relatives, ancestry, and ethnicity belonging to those affected users, according to the attorney general.
“Our investigation found that the company failed to take basic steps to protect users’ data,” said Bonta, who added 23andMe “lied to consumers about the severity of its 2023 data breach.”
Chrome Holding was rebranded following 23andMe’s filing for bankruptcy, and the BBC has requested comment from the company regarding the lawsuit.
Bonta further alleges that threat actors who subsequently sold the stolen data on the dark web specifically advertised that it belonged to Asian American Pacific Islanders and Jewish users.
“This is disturbing and incredibly dangerous” given it occurred during a period of “mounting anti-Asian American and Pacific Islander and antisemitic hate and violence,” Bonta said.
The breach was carried out through a so-called credential stuffing attack, in which hackers used passwords exposed in previous breaches to access accounts where users had applied similar credentials.
The 2023 incident has already attracted significant international regulatory attention, with the UK’s Information Commissioner’s Office fining the company £2.31m last year.
The ICO found that the personal data of 155,592 UK residents was accessed, and alleged 23andMe failed to put adequate security measures in place prior to the breach.
Under UK data protection law, genetic data is classified as a special category requiring additional protections and safeguards given its particularly sensitive nature.
The ICO’s investigation, conducted in coordination with Canada’s privacy commissioner, found 23andMe violated UK law by failing to implement appropriate authentication and verification measures during its login process.
The company has stated it has “made several binding commitments to enhance protections for customer data and privacy” in response to the regulatory scrutiny it has faced.
23andMe came under further pressure last year when users reported difficulty deleting their accounts after the company filed for Chapter 11 bankruptcy protection to sell itself through a court-supervised process.
Some users raised concerns at that time about the possibility of insurance companies purchasing their genetic data and using it to influence coverage decisions.