California’s Attorney General, Rob Bonta, has taken legal action against 23andMe, now known as Chrome Holding Co., for the company’s negligence in safeguarding sensitive customer genetic and personal information.
The lawsuit stems from a significant data breach in 2023 that exposed the private information of nearly 7 million customers, including over 850,000 individuals from California.
The breach was brought to light in October of that year when threat actors attempted to sell stolen records from 23andMe. Subsequently, leaked data samples were released to authenticate the breach.
Following an investigation, it was revealed that the breach occurred due to a credential-stuffing attack targeting accounts with weak passwords. This breach resulted in the exposure of genetic data, health predispositions, ancestry details, biological relatives, and DNA matches of millions of customers.
As a consequence of the breach, 23andMe faced numerous lawsuits by the end of 2023. In early 2024, national data protection authorities initiated investigations that led to substantial fines, ultimately causing the company to declare bankruptcy.
The latest lawsuit filed by AG Rob Bonta alleges that 23andMe failed to implement adequate security measures against credential-stuffing attacks, missed opportunities to detect the intrusion, and overlooked a coding error in their ‘DNA Relatives’ feature.
Bonta also highlighted the misleading statements made by 23andMe both before and after the breach, claiming that the company’s security standards were high and downplaying the severity of the incident.
Moreover, the Attorney General contends that 23andMe violated various California state laws, including the Genetic Information Privacy Act, Reasonable Data Security Law, Consumer Privacy Act, False Advertising Law, and Unfair Competition Law.
The lawsuit seeks to prevent further violations and impose penalties ranging from $1,000 to $7,500 per offense. Additionally, the dispute over the proposed sale of Californians’ genetic data and biological materials is being handled as a separate proceeding.
Automated penetration testing tools provide value but are primarily designed to assess network traversal capabilities, not the effectiveness of threat-blocking controls, detection rules, or cloud configurations.
Learn about the crucial 6 surfaces that require validation in our comprehensive guide.
Download Now
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
