California's Attorney General Rob Bonta filed a lawsuit against 23andMe following a 2023 data breach that compromised genetic and personal information belonging to 7 million users. The stolen data was subsequently sold on the dark web.
The Lawsuit
Attorney General Bonta's action targets the DNA testing company for inadequate security practices and failure to protect consumer data. The suit alleges 23andMe violated California's consumer protection laws by not implementing reasonable safeguards for sensitive genetic information.
The Breach
The breach occurred in 2023 when unauthorized actors accessed user accounts through credential stuffing attacks. Hackers obtained genetic ancestry data, health predispositions, and personal information from millions of customers. The compromised data later appeared on dark web marketplaces.
23andMe's Response
The company previously acknowledged the breach and took steps to reset passwords and implement additional security measures. 23andMe stated it notified affected users and cooperated with law enforcement. The company maintained that many users had weak passwords that contributed to account compromise.
Legal Implications
The lawsuit represents a significant enforcement action against a major consumer genetics company. California has prioritized data protection cases, particularly involving sensitive health information. The suit seeks civil penalties, restitution for affected consumers, and injunctive relief requiring stronger security protocols.
Industry Context
The case highlights ongoing tensions between the consumer genetics industry and regulators over data security standards. DNA testing services collect some of the most sensitive personal information available. Breaches at these companies raise particular concerns given the permanent nature of genetic data—unlike passwords or credit card numbers, DNA cannot be changed.
Other genetic testing companies face similar scrutiny from state and federal regulators regarding data protection practices and third-party data sharing policies.
The lawsuit reflects growing regulatory pressure on tech companies handling sensitive consumer data following major security incidents.
The Los Angeles Police Department has declined to renew its contract with Flock Safety, citing data privacy concerns. The decision marks a shift in the department's approach to automated license plate reader technology.
Department of Homeland Security analysts dismissed suspicious network activity detected in May as harmless before confirming a breach in June, according to internal documents.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that Russian state-sponsored hackers are actively targeting residential routers. The threat escalates as attackers seek to exploit routers for use as residential proxies.
Grok CLI experienced a critical bug that caused it to upload entire home directories to Google Cloud Storage. The issue sparked significant discussion in the developer community about data handling practices.