California Attorney General Sues 23andMe Successor Over Massive Data Breach

California Attorney General Rob Bonta has announced legal action against Chrome Holding, the company that succeeded genetic testing firm 23andMe, over allegations linked to a major data breach that compromised the personal information of millions of users.

The lawsuit follows an investigation by the California Department of Justice, which concluded that 23andMe failed to adequately safeguard sensitive customer data before the company was restructured and rebranded as Chrome Holding.

According to Bonta, the 2023 cyberattack exposed highly sensitive information belonging to nearly seven million users, including details related to ancestry, ethnicity, biological relatives, genetic traits and potential health risks.

The attorney general accused the company of failing to implement basic security measures and misleading customers about the seriousness of the breach.

“Our investigation found that the company did not take sufficient steps to protect users’ information and downplayed the scale of the incident,” Bonta said.

The breach occurred through a credential-stuffing attack, a cybercrime technique in which hackers use usernames and passwords obtained from previous data leaks to gain access to accounts where individuals have reused the same login credentials.

Authorities also alleged that some of the stolen information was later advertised and sold online by cybercriminals, with particular attention drawn to data linked to Asian American, Pacific Islander and Jewish users.

Bonta described the situation as especially troubling given rising concerns over anti-Asian and antisemitic hate incidents in recent years.

The incident has attracted scrutiny from regulators in multiple countries.

In the United Kingdom, the Information Commissioner’s Office (ICO) imposed a £2.31 million fine on 23andMe last year, citing failures in the company’s security and authentication processes. The watchdog said personal information belonging to more than 155,000 UK residents was accessed during the breach.

Investigators in both the UK and Canada concluded that the company had not implemented adequate verification and account protection measures despite handling highly sensitive genetic information.

Genetic data is classified under UK law as a special category of personal information requiring stronger safeguards because of its unique and sensitive nature.

The company has previously stated that it has adopted several commitments aimed at strengthening customer privacy and data protection.

Concerns surrounding 23andMe intensified after the company filed for Chapter 11 bankruptcy protection and sought a buyer through a court-supervised sale process. At the time, some users reported difficulties deleting their accounts and expressed concerns about the future ownership of their genetic information.

Founded by Anne Wojcicki, the former wife of Google co-founder Sergey Brin and sister of late YouTube executive Susan Wojcicki, 23andMe was once among the most prominent direct-to-consumer DNA testing companies in the world.

The company attracted high-profile customers, including entertainers and media personalities, and at one point enjoyed a market valuation that pushed its share price above $300 before its fortunes declined sharply in recent years.