California Attorney General Sues 23andMe Over 2023 Data Breach

California’s attorney general sued the genetic testing company formerly known as 23andMe on Thursday, alleging it failed to protect sensitive user data in a 2023 breach that affected nearly 7 million people across the country. , which 23andMe rebranded under after filing for bankruptcy last March.

The company is known for its direct-to-consumer DNA test kits that provided customers information on their ancestry and genetic predispositions for certain health conditions. The lawsuit calls for various civil penalties against the company and injunctions blocking further violations of California’s privacy protection laws.

Prosecutors said the company’s security measures were so lax that the threat actor operated undetected within its systems for over five months.

The company has acknowledged that it suffered a major security breach in 2023 that resulted in about 14,000 accounts accessed, through which attackers stole the data of nearly 7 million customers. The cyberattack utilized credential stuffing, which takes advantage of customers’ tendency to use weak or common passwords or reuse passwords between multiple accounts.

Bonta’s office said this was a well-known attack that businesses should know to guard against. The attackers used stolen user account credentials including ones from a massive data breach in October 2017 that affected MyHeritage, one of the company’s former partners.

After that breach, the company did not take common protocols such as asking customers to reset their passwords or use multifactor authentication. The company did not immediately respond to an emailed request for comment. Prosecutors said the company only began investigating after the threat actor offered the stolen user data for sale on the dark web and reached out to demand a ransom.

October 2023, the stolen data appeared for sale on the dark web, with the poster specifically touting that about 1.1 million consumers’ data belonged to Asian-Pacific Islander and Ashkenazi Jewish users. Some of the data stolen included raw genetic data, health reports, DNA shared with other relatives, and locations and birth years of relatives.

The lawsuit says that after notifying the public about the breach, the company continued to mislead consumers about the severity of the breach and the company’s role in it. The company has said it only found out about the breach in October 2023 when the stolen data was posted for sale on the dark web.

The lawsuit said the company failed to properly investigate red flags that appeared months earlier, such as a suspicious spike in user login attempts in July and a post discussing a possible breach and sale of user data in August. Genetic data requires one of the highest levels of protection and California law mandates a heightened legal obligation to protect it, the lawsuit said.

In 2024, the company agreed to pay a $30 million settlement in a class-action lawsuit accusing it of failing to protect customers whose personal information was exposed in the breach. The amount was raised to $50 million to resolve most U.S. customer claims and received final approval in January by a federal judge overseeing the company’s bankruptcy.