“Our investigation found that the company failed to take basic steps to protect users’ data,” California Attorney General Rob Bonta said in a statement.
California Attorney General Rob Bonta has filed a lawsuit against the owners of Chrome Holding, the successor company to the now-defunct DNA-testing and ancestry-research platform 23andMe.
According to the BBC, Bonta’s lawsuit broadly claims that Chrome Holding failed to protect sensitive consumer data, ultimately leading to a massive data breach in 2023. The breach exposed more than seven million members’ genetic predispositions and medical risk factors, as well as information about their biological relatives, ancestry, and race.
“Our investigation found that the company failed to take basic steps to protect users’ data,” Bonta said in a statement.
“23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach. Our investigation found that the company failed to take basic steps to protect users’ data—data including the sensitive personal information, family histories, and health conditions of consumers,” Bonta said. “The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence—and explicitly called attention to the deeply personal and identifying nature of that information. This is disturbing and incredibly dangerous. Today, my office is suing 23andMe for its categorical failure to comply with California law.”
The BBC notes that 23andMe users were targeted by “credential stuffing,” a type of cyberattack in which hackers use previously-exposed email addresses and passwords to access member accounts. Bonta’s lawsuit alleges that the prevalence of such attacks—including several against other DNA and ancestry companies—should have served as ample warning to 23andMe.
“Credential stuffing exploits consumers’ tendency to use weak or common passwords or to reuse log-in credentials by using the same username and password that they use with one company to log into accounts with another company,” Bonta’s office said. “[…] 23andMe never checked for or prevented credential reuse, even after the MyHeritage data breach. Once in 23andMe’s systems, the threat actor used a vulnerability involving a critical coding error in “DNA Relatives”—a feature that allowed DNA-related customers to share information and contact each other—to steal additional identifying information, ancestry reports, and reports indicating the percentage of DNA shared with potential relatives about nearly 7 million consumers.”
The lawsuit also accuses 23andMe of repeatedly trying to downplay the severity of the breach by assuring the public that “it had not experienced a data security incident within its system.” Once the breach became undeniable, 23andMe initially told users that hackers had only managed to obtain information about “DNA relatives,” a feature that is effectively public. In reality, the company was actively negotiating and paying for a ransom in exchange for the hackers removing damaging information about the breach that had already been posted online.
Sources
Attorney General Bonta Sues Chrome Holding Co., Formerly Known as 23andMe, Over 2023 Data Breach
California Attorney General sues 23andMe successor for 2023 data breach
California Sues 23andMe Successor Over Genetic Data Breach That Targeted Ethnic Groups
Join the conversation!