:

CALIFORNIA SUES 23ANDME OVER 7M-PERSON DATA BREACH

AI DESK2 MIN READ
FRI, MAY 29, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

California's attorney general filed suit against genetic testing company 23andMe on Thursday, alleging it failed to adequately protect user data in a 2023 breach affecting approximately 7 million people across the United States.

Attorney General Rob Bonta's lawsuit claims 23andMe neglected to implement reasonable security measures that would have prevented unauthorized access to sensitive genetic and health information. The breach, discovered in 2023, exposed personal data belonging to millions of customers nationwide. The complaint alleges that 23andMe's security failures violated California consumer protection laws. According to Bonta's office, the company failed to use adequate safeguards such as stronger password requirements and additional security protections despite knowing the risks associated with storing genetic data. 23andMe confirmed the breach last year, initially indicating that hackers accessed account information through credential stuffing attacks, where bad actors use previously compromised usernames and passwords to gain entry to accounts. The company subsequently revealed that some users' genetic ancestry data had also been exposed. The lawsuit seeks penalties and damages on behalf of affected California residents. It represents one of several legal challenges the genetic testing company has faced following the breach. The case highlights ongoing tensions between data-intensive tech companies and regulators over security practices. Genetic testing services collect some of the most sensitive personal information available—DNA data that can reveal family relationships, ancestry, and potential health risks. Such information requires heightened protection standards compared to typical consumer data. 23andMe did not immediately respond to requests for comment on the lawsuit. The company has previously stated it takes security seriously and has implemented improvements to its systems following the incident. The litigation underscores regulatory scrutiny of how companies handle biometric and genetic information, particularly in California, where privacy protections have become increasingly stringent in recent years.

■ SOURCES

Techmeme

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned two individuals and one entity for enabling ransomware attacks against American organizations. The action targets infrastructure providers facilitating cyber threats.

JUST NOWSecurity Desk

As scam calls and messages proliferate, ordinary people are turning the tables on fraudsters through scambaiting—deliberately engaging scammers to waste their time and resources.

3H AGOIndustry Desk

Security researchers have identified a defensive technique called "context bombing" that uses prompt injections to trigger an attacker's own AI guardrails, reducing the success rate of AI-based hacking attempts by approximately 90%.

3H AGOAI Desk

The Los Angeles Police Department has declined to renew its contract with Flock Safety, citing data privacy concerns. The decision marks a shift in the department's approach to automated license plate reader technology.

9H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.