California AG Sues 23andMe Over 6.9 Million User Data Breach

Key Takeaways

• California AG seeks statutory penalties of $1,000-$7,500 per violation against the bankrupt genetic testing company
• The 2023 breach exposed genetic data, health predispositions, ancestry, and DNA matches for 6.9 million customers
• The lawsuit alleges 23andMe blamed customers for password reuse while downplaying its own security failures

California Attorney General Rob Bonta filed a lawsuit against 23andMe on May 29, alleging the genetic testing company failed to protect sensitive DNA and personal information that hackers stole from nearly 7 million customers in 2023.

The company, now operating as Chrome Holding Co. after filing for bankruptcy, faces potential penalties of $1,000 to $7,500 per violation under multiple California privacy laws.

“We are suing 23andMe for failing to protect the sensitive genetic and personal information of millions of Californians and people across the country. Our DNA is our most sensitive information, and 23andMe failed its customers.”

— Rob Bonta, California Attorney General

What the Lawsuit Claims

The AG's complaint outlines several alleged failures. First, 23andMe did not implement reasonable safeguards against credential-stuffing attacks. These attacks use stolen username-password combinations from other breaches to access accounts where users reused credentials.

Second, the company missed multiple opportunities to detect the intrusion as it happened. Third, a coding error in the DNA Relatives feature allowed attackers to access a much larger dataset than the initially compromised accounts.

The breach exposed data from approximately 6.9 million customers total. This included 855,541 California residents. The stolen information covered genetic data, health predisposition reports, ancestry and ethnicity details, biological relative connections, and DNA matches.

Misleading Statements Before and After

Beyond the security failures, the lawsuit targets what Bonta calls misleading public statements. Before the breach, 23andMe claimed its security met high standards. After the breach became public, the company tried to downplay its severity.

The company suggested the exposed data was largely public information. It also blamed customers for password reuse while insisting its own systems had not been breached. The AG argues this contradicts what actually happened.

How the Breach Unfolded

The incident came to light in October 2023 when threat actors began selling stolen 23andMe records online. To prove the data was real, they leaked samples and later released larger portions of the dataset.

Attackers first used credential stuffing to compromise accounts with weak or reused passwords. They then exploited a flaw in the DNA Relatives feature, which lets users find and connect with genetic matches. This allowed access to a second, much larger set of accounts belonging to users who never opted into that feature.

Laws Allegedly Violated

The Attorney General cites violations of five California laws:

• California Genetic Information Privacy Act
• California Reasonable Data Security Law
• California Consumer Privacy Act (CCPA)
• False Advertising Law
• Unfair Competition Law

The complaint seeks an injunction to prevent further violations and statutory penalties ranging from $1,000 to $7,500 per violation. With 855,541 California residents affected, potential penalties could reach into the billions.

Separate from Bankruptcy Proceedings

The AG's office noted this lawsuit is separate from ongoing bankruptcy disputes. Those proceedings involve questions about the proposed sale of Californians' genetic data and biological materials to new owners.

By the end of 2023, the company already faced multiple class-action lawsuits from affected customers. Investigations by data protection authorities led to multi-million dollar fines, which contributed to the bankruptcy filing.

Why Genetic Data Breaches Are Different

Unlike a stolen password or credit card number, genetic data cannot be changed. When DNA information leaks, it stays leaked forever. The exposed data also reveals information about biological relatives who never consented to 23andMe having their data in the first place.

This permanence has fueled criticism of companies that collect biological data without adequate security. Online discussions frequently highlight the irony of 23andMe blaming users for password reuse when the company chose to store immutable genetic information without preventing credential-stuffing attacks.

Frequently Asked Questions

What data was exposed in the 23andMe breach?

The breach exposed genetic data, health predisposition information, ancestry and ethnicity details, biological relative connections, and DNA matches for approximately 6.9 million customers.

How much could 23andMe be fined?

California is seeking statutory penalties of $1,000 to $7,500 per violation. With 855,541 California residents affected, potential penalties could reach billions of dollars.

How did hackers access 23andMe accounts?

Attackers used credential stuffing, testing stolen username-password combinations from other breaches. They then exploited a coding error in the DNA Relatives feature to access accounts of users who never opted into that feature.

Is this lawsuit related to 23andMe's bankruptcy?

No. The California AG's lawsuit is separate from bankruptcy proceedings, which involve disputes over the proposed sale of customer genetic data and biological materials.

What laws did 23andMe allegedly violate?

The lawsuit cites the California Genetic Information Privacy Act, California Reasonable Data Security Law, CCPA, False Advertising Law, and Unfair Competition Law.

Source: BleepingComputer