Skip to main content
Emerging ThreatsData Breaches

California AG Sues 23andMe Over Data Breach Handling

Courthouse exterior with subtle DNA elements in foreground.

Nearly 7 million customers, including 855,541 Californians, had sensitive genetic and personal information exposed in a 2023 incident that the California Attorney General says should never have happened.

Rob Bonta files suit against Chrome Holding Co. (formerly 23andMe)

California Attorney General Rob Bonta has sued 23andMe, which the complaint identifies as now operating as Chrome Holding Co., alleging the company's failure to protect customer genetic and personal information. The lawsuit centers on the company’s handling of a high-profile 2023 breach and asserts that shortcomings in security, detection and software quality allowed threat actors to access and exfiltrate data on millions of customers.

How the 2023 breach unfolded, according to the complaint

The incident first surfaced in October 2023, when threat actors offered records they said were stolen from 23andMe and posted leaked data samples to demonstrate authenticity. The company confirmed the data was genuine and attributed the initial intrusion to a credential‑stuffing attack targeting accounts with weak credentials.

The attack pathway, as described in the complaint, began with accounts that had opted into the platform's "DNA Relatives" feature. A coding error in that feature allowed access to those accounts; attackers then used that foothold to reach a much larger set of accounts that did not use the DNA Relatives feature. The complaint says the company missed multiple opportunities to detect the intrusion as it unfolded.

Scale and nature of what was exposed

Overall, the incident exposed the data of roughly 6.9 million customers. The complaint lists the types of information taken: genetic data, health predisposition information, ancestry and ethnicity details, biological relatives, and DNA matches. In California alone, the Attorney General’s filing says 855,541 residents were affected.

Alleged misstatements, legal claims, and remedies sought

Beyond technical failings, the Attorney General’s complaint criticizes 23andMe’s public statements. The suit says the company had previously claimed its security met high standards, and that after the breach it downplayed the severity—suggesting much of the exposed information was publicly available, blaming customers for password reuse, and asserting its systems had not been breached. The complaint treats those representations as misleading.

Legally, the AG asserts violations of several California laws by the company, including the California Genetic Information Privacy Act, the California Reasonable Data Security Law, the California Consumer Privacy Act (CCPA), the False Advertising Law, and the Unfair Competition Law. The complaint seeks an injunction to prevent further violations and requests statutory penalties ranging from $1,000 to $7,500 per violation, depending on the claim.

What this means for technologists, policymakers, and affected consumers

  • Technologists and security teams: The complaint focuses on credential‑stuffing defenses, detection gaps, and a coding error in a feature (DNA Relatives) that allowed escalation. Teams that manage consumer genetic platforms will watch whether the suit shifts expectations about testing features that touch sensitive genomic data and about detection responsibilities when initial credential abuse is detected.
  • Policymakers and regulators: The AG’s reliance on multiple California statutes—including the California Genetic Information Privacy Act and the CCPA—signals aggressive state‑level enforcement of data‑protection rules for genetic information. The complaint also follows national data protection investigations that, according to the filing, produced multi‑million‑dollar fines and helped push the company into bankruptcy.
  • Affected consumers: Roughly 6.9 million customers nationwide and 855,541 Californians will be watching the lawsuit’s outcomes for remedies and for any changes to how genetic data and biological‑relationship information are handled, sold, or transferred. The AG’s filing notes that a separate bankruptcy dispute concerns the proposed sale of Californians' genetic data and biological materials.

The Attorney General’s action reframes the 2023 incident as not merely a crime by outside actors but as a set of corporate failures in prevention, detection and public communications. The complaint seeks both to impose penalties and to bind the company to future conduct; the separate bankruptcy proceedings over proposed sales of Californians' genetic data remain a distinct legal thread to watch.

Original reporting: https://www.bleepingcomputer.com/news/security/california-ag-sues-23andme-over-2023-breach-exposing-health-data/