California Sues 23andMe Over 2023 Data Breach Affecting 7 Million Users
AI-generated from multiple sources. Verify before acting on this reporting.
SACRAMENTO (AP) — California Attorney General Rob Bonta filed a lawsuit Wednesday against Chrome Holding Co., formerly known as 23andMe, alleging the company failed to protect sensitive user data following a 2023 cybersecurity breach that impacted nearly 7 million people.
The state’s complaint accuses the genetic testing company of neglecting basic security protocols, including the implementation of multifactor authentication, which contributed to the unauthorized access of customer information. The breach, which occurred in 2023, was allegedly discovered after attackers utilized credential stuffing techniques to gain entry into the company’s systems.
According to the lawsuit, the company misled consumers regarding the severity of the incident and the extent of the data compromised. The state argues that 23andMe’s failure to safeguard personal and genetic information violated California’s Consumer Privacy Act and other state laws designed to protect consumer data.
The complaint details that the breach exposed names, email addresses, and genetic data for millions of users. Bonta’s office stated that the company’s security practices were insufficient given the sensitive nature of the information it holds. The lawsuit seeks injunctive relief and civil penalties.
Chrome Holding Co. has not issued a public statement regarding the lawsuit as of Wednesday afternoon. The company previously disclosed the 2023 breach to affected customers and regulators but has not publicly detailed the specific security measures it took in response to the incident.
The case highlights growing scrutiny over how technology companies handle sensitive health and genetic data. California has increasingly pursued legal action against corporations for data privacy violations, citing the need for stronger protections for consumers in an era of digital vulnerability.
Legal experts note that the outcome of the case could set a precedent for how genetic data breaches are handled under state privacy laws. The lawsuit remains in its early stages, with both sides expected to engage in discovery and potential settlement negotiations.
As the legal proceedings unfold, questions remain about the full scope of the data exposed and whether other users beyond the 7 million identified may have been affected. The state’s complaint also raises concerns about whether similar security lapses exist in other sectors handling sensitive consumer information.
The lawsuit was filed in Sacramento Superior Court. Both parties have until the next scheduled court date to respond to the allegations and present their positions. The case is expected to draw attention from privacy advocates and technology companies nationwide.