CALIFORNIA SUES 23ANDME OVER 7M-USER DATA BREACH

The Lawsuit Attorney General Bonta's action targets the DNA testing company for inadequate security practices and failure to protect consumer data. The suit alleges 23andMe violated California's consumer protection laws by not implementing reasonable safeguards for sensitive genetic information. The Breach The breach occurred in 2023 when unauthorized actors accessed user accounts through credential stuffing attacks. Hackers obtained genetic ancestry data, health predispositions, and personal information from millions of customers. The compromised data later appeared on dark web marketplaces. 23andMe's Response The company previously acknowledged the breach and took steps to reset passwords and implement additional security measures. 23andMe stated it notified affected users and cooperated with law enforcement. The company maintained that many users had weak passwords that contributed to account compromise. Legal Implications The lawsuit represents a significant enforcement action against a major consumer genetics company. California has prioritized data protection cases, particularly involving sensitive health information. The suit seeks civil penalties, restitution for affected consumers, and injunctive relief requiring stronger security protocols. Industry Context The case highlights ongoing tensions between the consumer genetics industry and regulators over data security standards. DNA testing services collect some of the most sensitive personal information available. Breaches at these companies raise particular concerns given the permanent nature of genetic data—unlike passwords or credit card numbers, DNA cannot be changed. Other genetic testing companies face similar scrutiny from state and federal regulators regarding data protection practices and third-party data sharing policies. The lawsuit reflects growing regulatory pressure on tech companies handling sensitive consumer data following major security incidents.