California’s top law enforcement official has announced plans to file a lawsuit against DNA testing conglomerate Chrome Holding, capping a months-long investigation into a catastrophic 2023 data leak that originated with Chrome’s predecessor, consumer genetics giant 23andMe. Attorney General Rob Bonta alleged in a Thursday press briefing that 23andMe repeatedly neglected basic cybersecurity obligations to safeguard the highly sensitive personal genetic data of its customers.
The 2023 credential stuffing attack, which leveraged leaked passwords from previous unrelated data breaches to gain unauthorized access to customer accounts, exposed the private genetic information of nearly 7 million people. The leaked data not only included users’ genetic predispositions to health conditions and disease risk factors, but also detailed records of biological relatives, ancestral origins and self-reported ethnic backgrounds. Bonta’s investigation uncovered two damning failures: first, the company never implemented fundamental security controls to block automated attacks on customer accounts, and second, 23andMe deliberately misled consumers about how severe the breach actually was after it was discovered.
What makes the incident even more alarming, Bonta emphasized, is that threat actors who stole the data specifically marketed the stolen datasets on the dark web to highlight the profiles of users identifying as Asian American Pacific Islanders (AAPI) and Jewish people. Bonta called this targeting “disturbing and incredibly dangerous,” noting that the leak unfolded amid a nationwide surge in anti-AAPI hate crimes and antisemitic violence across the United States, putting these targeted communities at heightened risk of discrimination and harm.
This marks the latest regulatory consequence for the former 23andMe, which rebranded as Chrome Holding after filing for Chapter 11 bankruptcy protection in 2024. The 2023 breach first drew international regulatory scrutiny almost immediately, when UK data protection watchdog the Information Commissioner’s Office (ICO) issued a £2.31 million ($2.9 million) fine against the company last year. The ICO found that 23andMe violated UK data protection rules by failing to implement proper authentication and verification protocols for user logins, leaving the personal genetic data of more than 155,000 UK residents exposed to unauthorized access. Under UK law, genetic information is classified as a special category of sensitive personal data, requiring extra layers of security and privacy safeguards that 23andMe failed to put in place. The ICO’s investigation was carried out in coordination with Canadian privacy regulators, highlighting the global scope of the breach’s impact.
23andMe faced additional public backlash last year after its bankruptcy filing, when hundreds of users reported being unable to delete their accounts and remove their genetic data from the company’s servers as they requested. Many users raised urgent concerns that their sensitive genetic information could be purchased by third parties including insurance providers, who could use the data to deny coverage or raise premiums for customers based on their genetic predispositions.
Founded by Anne Wojcicki, sister of late YouTube CEO Susan Wojcicki and ex-wife of Google co-founder Sergey Brin, 23andMe rose to mainstream popularity in the 2010s, counting high-profile celebrities including Snoop Dogg, Oprah Winfrey and Eva Longoria among its early customers. At its peak market valuation, the company’s share price climbed above $300 before a steep market downturn in 2024 wiped out most of its value ahead of its bankruptcy filing.
Chrome Holding has not yet issued a public response to the impending California lawsuit, after the BBC reached out to the company for comment. The company has stated previously that it has made several binding commitments to upgrade security and privacy protections for all customer genetic data held in its systems.