Attorney General Bonta Sues Chrome Holding Co., Formerly Known as 23andMe, Over 2023 Data Breach

OAKLAND — California Attorney General Rob Bonta today filed a lawsuit against Chrome Holding Co., formerly known as 23andMe, for failing to protect its customers’ sensitive personal information and genetic data related to their health, genetic predispositions and risk factors, biological relatives, ancestry, and ethnicity. In 2023, 23andMe experienced a data breach that affected nearly 7 million users across the United States, including 855,541 Californians. While 23andMe publicly touted its commitment to data privacy and transparency, in truth, it failed to take reasonable measures to protect its customers’ most sensitive data, ignored known vulnerabilities in its systems, and failed to properly investigate or respond to numerous warnings that its systems had been compromised. The company also misled its customers and the public regarding crucial aspects of the 2023 data breach. In the complaint, filed today in San Francisco Superior Court, Attorney General Bonta alleges 23andMe’s failures to implement and maintain reasonable security procedures and its misleading statements regarding its security and the data breach were unlawful.

“23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach. Our investigation found that the company failed to take basic steps to protect users’ data — data including the sensitive personal information, family histories, and health conditions of consumers,” said Attorney General Bonta. “The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence — and explicitly called attention to the deeply personal and identifying nature of that information. This is disturbing and incredibly dangerous. Today, my office is suing 23andMe for its categorical failure to comply with California law.”  

BACKGROUND

Founded in San Francisco, 23andMe was the first and one of the largest direct-to-consumer genetic testing companies in the world. Customers sent their saliva samples to 23andMe for DNA analysis. The company stored data on consumers’ raw DNA sequence and used that information to provide consumers with reports about their ancestry, ethnicity, and genetic health predispositions. 

On October 6, 2023, 23andMe confirmed that it had suffered a major data breach. Indeed, for five months, a threat actor had breached 23andMe’s systems undetected by accessing about 14,000 customers’ 23andMe accounts. The threat actor leveraged that access, as well as other vulnerabilities within 23andMe’s systems, to obtain the data of nearly 7 million 23andMe customers.

The threat actor used a well-known type of cyberattack called “credential stuffing” that businesses, particularly those that collect and maintain sensitive personal and genetic data, can and should know to guard against. Credential stuffing exploits consumers’ tendency to use weak or common passwords or to reuse log-in credentials by using the same username and password that they use with one company to log into accounts with another company. Here, the threat actor used account credentials stolen in prior data breaches — including the highly publicized breach of MyHeritage, a separate genealogy site that had partnered with 23andMe. Although 23andMe’s data security team was aware of the MyHeritage breach, and 23andMe had encouraged its users to create an account with MyHeritage, 23andMe never checked for or prevented credential reuse, even after the MyHeritage data breach. Once in 23andMe’s systems, the threat actor used a vulnerability involving a critical coding error in “DNA Relatives” — a feature that allowed DNA-related customers to share information and contact each other — to steal additional identifying information, ancestry reports, and reports indicating the percentage of DNA shared with potential relatives about nearly 7 million consumers.

News of 23andMe’s breach came to light after the data of one million consumers were offered for sale on the dark web, specifically touting that the data belonged to Asian American and Pacific Islanders (AAPI) and Jewish users. Disturbingly, this occurred during a period of increasing anti-AAPI and antisemitic hate and violence. 

Even more disturbing, 23andMe’s post-breach statements to consumers were misleading and omitted or misrepresented critical information regarding the breach. While 23andMe assured the public that it had not experienced a data security incident within its systems, downplayed the sensitivity of the stolen data by claiming that the information stolen from the “DNA Relatives” feature was essentially public, and attempted to shift blame for the breach to its customers, 23andMe was simultaneously negotiating and paying a ransom to the threat actor in exchange for, among other things, the threat actor removing damaging information regarding the breach that had been posted online and providing information about multiple 23andMe security vulnerabilities, including vulnerabilities the threat actor exploited during the data breach. 

THE INVESTIGATION & LAWSUIT 

A 2023 investigation by the California Department of Justice and a multistate coalition found that 23andMe’s pre-breach data security procedures and practices fell below security and industry standards in several ways. In fact, 23andMe’s security measures were so lax that the threat actor was able to operate undetected within 23andMe’s systems for over five months, and remarkably, the company only began investigating after the threat actor offered the stolen user data for sale on the dark web and reached out to 23andMe to demand a ransom.

The investigation further found 23andMe: 

• Failed to implement reasonable security procedures to prevent and detect the well-known risk of credential stuffing.
• Missed several opportunities to detect the credential stuffing attack.
• Failed to guard against the exploitation of a coding error in the “DNA Relatives” feature that allowed doctored queries to the 23andMe database.
• Failed to properly account for genetic data, its nature, and its high-level of sensitivity when drafting and implementing its data security protocols.

Additionally, 23andMe made misleading statements before and after the breach. Before the breach, 23andMe touted its security practices as meeting the highest industry standards. After the breach, 23andMe’s statements omitted key information in an effort to hide and downplay both the breach’s severity and 23andMe’s responsibility for it. 23andMe continued to inform consumers that there was no data security incident within its systems, despite being informed by the threat actor during ransom negotiations of multiple exploitable vulnerabilities within 23andMe’s systems, including vulnerabilities that were used to facilitate the attack.

In the lawsuit, Attorney General Bonta argues that 23andMe failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information and genetic data that it maintained to protect that information from unauthorized access. The complaint also alleges that the company made untrue and misleading statements intending to encourage members of the public to use 23andMe’s services or products, including statements regarding its security measures in place at the time of the data breach and the circumstances of the data breach. These failures violated, among other laws, California's Genetic Information Privacy Act, Reasonable Data Security Law, False Advertising Law, Unfair Competition Law, and the California Consumer Privacy Act.

Today’s lawsuit is separate from the Attorney General’s pending challenge in the U.S. Bankruptcy Court for the Eastern District of Missouri regarding the sale of Californians’ genetic information and material in bankruptcy.