California Attorney General Initiates Legal Action Against 23andMe Successor Over 2023 Data Breach

California Attorney General Rob Bonta has announced plans to file a lawsuit against Chrome Holding, the entity that acquired 23andMe, following an investigation that concluded the genetic testing firm neglected to safeguard sensitive consumer information. The probe, released on Thursday, alleges that the predecessor company, 23andMe, was responsible for a data breach in 2023 that compromised the genetic predispositions, risk factors, ancestry details, ethnicity information, and biological relative connections of nearly seven million users.

"Our investigation found that the company failed to take basic steps to protect users' data," Bonta stated, further accusing 23andMe of deceiving consumers regarding the extent of the 2023 breach. Chrome Holding, which adopted its new name after 23andMe filed for bankruptcy the previous year, has been contacted by the BBC for comment.

Bonta highlighted particularly alarming details regarding the breach, noting that threat actors selling user data on the dark web specifically marketed the information as belonging to Asian American Pacific Islander (AAPI) and Jewish individuals. "This is disturbing and incredibly dangerous" given the timing, Bonta remarked, pointing to a period marked by "mounting anti-Asian American and Pacific Islander and antisemitic hate and violence."

The breach was executed through a "credential stuffing" attack, where hackers leveraged passwords leaked in prior incidents to gain unauthorized access to 23andMe accounts where users had reused similar login credentials.

The incident has triggered significant international regulatory consequences. Last year, the UK’s Information Commissioner’s Office (ICO) imposed a fine of £2.31 million on 23andMe, citing the company’s failure to implement adequate security measures for sensitive data. The ICO determined that the personal data of 155,592 UK residents had been accessed. The regulator’s investigation, conducted in collaboration with Canada’s privacy commissioner, found that 23andMe violated UK law by not employing appropriate authentication and verification protocols during the customer login process. Under UK data protection statutes, genetic information is classified as special category data, mandating heightened safeguards due to its sensitive nature.

In response to the scrutiny, the company has asserted that it has "made several binding commitments to enhance protections for customer data and privacy."

23andMe faced additional challenges last year when users reported obstacles in deleting their accounts following the company’s Chapter 11 bankruptcy filing, which was part of a court-supervised process to sell the business. At that time, concerns arose among users that insurance companies might purchase their genetic data to influence coverage decisions.

Founded by Anne Wojcicki—sister of the late YouTube CEO Susan Wojcicki and former wife of Google co-founder Sergey Brin—the company once boasted high-profile clients such as Oprah Winfrey, Eva Longoria, and Snoop Dogg. Its stock price reached a high of over $300 before plummeting in 2024.

Source: BBC News Generated at: 2026-05-28 18:28:42 UTC