California Suing Former 23andMe Firm for 2023 Data Breach

California Attorney General Rob Bonta filed a lawsuit against the DNA company formerly known as 23andMe for failing to protect consumer data.

Bonta sued Chrome Holding Co., formerly known as 23andMe, for failing to protect its customers’ personal information and genetic data related to health, genetic predispositions and risk factors, biological relatives, ancestry and ethnicity.

The suit stems from a 2023 data breach that affected nearly 7 million 23andMe users across the U.S., including 855,541 California residents.

Related: California Fails to Stop 23andMe Founder From Re-Acquiring Company

Bonta’s office says the company failed to take reasonable measures to protect its customers’ data, ignored known vulnerabilities in its systems and failed to properly investigate or respond to warnings that its systems had been compromised. The company also misled its customers and the public regarding aspects of the 2023 data breach.

In the complaint, filed last week in San Francisco Superior Court, Bonta alleges 23andMe’s failures to implement and maintain reasonable security procedures and its misleading statements regarding its security and the data breach were unlawful.

Related: Dozens of States Sue 23andMe to Block Sale of Personal Genetic Data

A 2023 investigation by the California Department of Justice showed 23andMe’s data security practices fell below industry standards. According to the investigation, the threat actor was able to operate undetected within 23andMe’s systems for more than five months. The company began investigating after the threat actor offered the stolen user data for sale on the dark web and reached out to 23andMe to demand a ransom.

The laws these failures violated include the California’s Genetic Information Privacy Act, Reasonable Data Security Law, False Advertising Law, Unfair Competition Law, and the California Consumer Privacy Act, according to the California DOJ.

Topics
Lawsuits
California
Cyber