California AG Sues 23andMe New Owner Over 2023 Genetic Data Breach

Once again…. California Attorney General Rob Bonta is at it as we broke the news that he has filed a lawsuit against Chrome Holding Co. — the company formerly known as 23andMe — over a 2023 data breach that exposed the genetic data of nearly 7 million people across the United States, including 855,541 Californians. The lawsuit is significant on multiple levels. It involves the most sensitive category of personal data that exists — genetic information that cannot be changed, cannot be revoked, and can reveal things about a person that they may not even know about themselves. It involves a company that publicly promised to protect that data while privately paying ransom to the attacker who stole it. And it arrives as the company sits in bankruptcy proceedings, with a separate legal challenge from the Attorney General’s office running in parallel over what happens to that genetic data when the company is sold. For any organization collecting sensitive personal data, this case is required reading. Not because 23andMe’s failures were exotic or technically sophisticated — they were not. Because they were ordinary, foreseeable, and the kind of thing that a functioning data security program would have caught.

What Happened: The Breach

23andMe was founded in San Francisco and became the first and largest direct-to-consumer genetic testing company in the world. Customers mailed saliva samples to the company for DNA analysis. 23andMe stored raw DNA sequence data and used it to generate reports on ancestry, ethnicity, and genetic health predispositions — some of the most intimate personal information a company can hold. On October 6, 2023, 23andMe confirmed a major data breach. What the company did not initially disclose was the scope of what had happened or how long it had been happening. For five months, a threat actor had been inside 23andMe’s systems undetected, having initially accessed approximately 14,000 customer accounts. The entry method was credential stuffing — a well-known attack technique that exploits the tendency of users to reuse passwords across multiple services. The attacker took credentials stolen from other breaches and used them to log into 23andMe accounts where customers had reused the same username and password. This is not an obscure attack vector. It is one of the most commonly documented methods of unauthorized account access and one that security teams at companies handling sensitive data are specifically expected to guard against. 23andMe’s security team was aware of a breach at MyHeritage — a genealogy site that had partnered with 23andMe and whose users 23andMe had actively encouraged to create accounts — and never checked for or blocked credential reuse following that breach. Once inside, the attacker exploited a critical coding error in the “DNA Relatives” feature — a function allowing customers to share information and connect with genetic relatives — to access the data of nearly 7 million customers. The compromised data included identifying information, ancestry reports, and reports indicating the percentage of DNA shared with potential relatives. The company only began investigating after the attacker offered the stolen data for sale on the dark web and reached out directly to demand a ransom.

What Was Stolen — and Who Was Targeted

The nature of the data stolen and how it was offered for sale makes this breach categorically different from a typical credential compromise or payment card theft. The initial dark web posting specifically advertised that the stolen data belonged to Asian American and Pacific Islander and Jewish users. This occurred during a period of documented and increasing anti-AAPI and antisemitic hate and violence. The data was not just stolen — it was curated by ethnicity and ancestry and marketed to those who might seek to cause harm to people based on their genetic heritage. Attorney General Bonta addressed this directly: “The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence — and explicitly called attention to the deeply personal and identifying nature of that information. This is disturbing and incredibly dangerous.” Genetic data carries risks that other categories of personal data do not. A compromised password can be changed. A stolen credit card number can be cancelled. Genetic information cannot be altered. It reveals health predispositions the individual may not know about. It identifies biological relatives who never consented to share their information with the company. It can be used to identify individuals across generations. The harm from its exposure is not bounded by the immediate victims — it extends to family members who never created a 23andMe account.

The Cover-Up That Made Everything Worse

The breach itself, while serious, reflects failures that are — in the landscape of corporate data security incidents — disturbingly common. What separates the 23andMe case and drives the California AG’s enforcement action is what happened after the breach was discovered. While 23andMe was publicly assuring customers and the media that it had not experienced a data security incident within its own systems, the company was simultaneously negotiating with and paying a ransom to the attacker. As part of those negotiations, the attacker provided 23andMe with information about multiple exploitable vulnerabilities within its systems — including the vulnerabilities used to carry out the attack. 23andMe continued to tell consumers there was no internal breach. The company also downplayed the sensitivity of the stolen data, claiming that information taken from the DNA Relatives feature was essentially public. It attempted to shift blame to its customers for reusing passwords — a statement that was legally and factually misleading given that the company’s own systems had a critical coding error that dramatically amplified the attacker’s access far beyond the initial 14,000 accounts. The California AG’s investigation found that 23andMe’s pre-breach security fell below industry standards in multiple documented ways, that the company missed multiple opportunities to detect the attack, and that its post-breach communications were designed to hide the severity of what had happened and minimize the company’s responsibility for it.

The Legal Framework: What 23andMe Is Accused of Violating

The lawsuit, filed in San Francisco Superior Court, alleges violations of multiple California statutes — a combination that reflects both the sensitivity of the data involved and the breadth of California’s privacy enforcement framework. California’s Genetic Information Privacy Act (GIPA) imposes specific obligations on companies that collect genetic data, including requirements around consent, data security, and the prohibition on using genetic data for unauthorized purposes. Genetic data is treated as a distinct and elevated category under California law — not simply as personal information subject to the same rules as other data types. California’s Reasonable Data Security Law (often called the California data breach law or the “reasonable security” requirement under Civil Code 1798.81.5) requires businesses that own or license personal information about California residents to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. The AG’s complaint alleges that 23andMe’s security measures were not reasonable for a company holding genetic data — the most sensitive category of personal information. The California Consumer Privacy Act (CCPA) gives California consumers rights over their personal information and imposes obligations on businesses that collect it. The CCPA’s private right of action for data breaches resulting from failure to implement reasonable security measures applies directly to this fact pattern. The False Advertising Law and Unfair Competition Law (UCL) — the same statutes that underpin much of California’s consumer protection enforcement — are applied here to 23andMe’s pre-breach marketing of its security practices and its post-breach misleading statements. The AG’s position is that 23andMe made false representations to consumers about data security to encourage them to use its services, and then made further false representations after the breach to conceal its culpability.

The Bankruptcy Complication

The lawsuit is filed against Chrome Holding Co. — the name 23andMe adopted after the company filed for bankruptcy. That detail is not incidental. 23andMe’s bankruptcy proceedings include the potential sale of its assets, which means the potential sale of the genetic data of millions of customers to an unknown buyer. The California AG has a separate pending challenge in the U.S. Bankruptcy Court for the Eastern District of Missouri specifically addressing the sale of Californians’ genetic information and material in bankruptcy. The core question is whether genetic data collected under specific consent terms — for specific purposes, from specific individuals — can simply be transferred to a new owner as a corporate asset in a bankruptcy sale, and whether that new owner would be bound by the original consent terms. This is an unresolved legal question with significant implications for the entire direct-to-consumer health and genetics industry. Consumer-facing genetic, health, and biometric data companies should be watching the bankruptcy proceedings closely — the outcome will establish precedent for how this category of data is treated in insolvency situations going forward.

What This Means for Organizations Handling Sensitive Data

The 23andMe enforcement action contains lessons that extend well beyond the genetics industry. The specific failures identified by the AG’s investigation — credential stuffing defenses, coding errors in data-sharing features, post-breach disclosure practices — are failures that can occur in any organization handling sensitive personal data. Credential stuffing is a known, documented, preventable risk. Organizations holding sensitive personal data — health information, financial data, genetic data — are expected to implement defenses against it. Multi-factor authentication, anomaly detection for login patterns, monitoring for credential reuse following publicly disclosed breaches of related services — these are not exotic security measures. They are baseline expectations for organizations holding data of this sensitivity. The fact that 23andMe was aware of the MyHeritage breach, had directed its users to create MyHeritage accounts, and still never checked for credential reuse is the kind of documented failure that makes a regulator’s enforcement case straightforward. Sensitive data categories require security measures calibrated to their sensitivity. The AG’s complaint specifically notes that 23andMe failed to properly account for genetic data and its high level of sensitivity when drafting and implementing security protocols. General-purpose data security frameworks applied without modification to a database of genetic health predispositions and ancestry information are not sufficient. The nature of the data must drive the design of the controls. Post-breach communications are themselves a compliance obligation — and an enforcement risk. The legal consequences in this case are significantly compounded by what 23andMe said after the breach, not just by what it failed to prevent beforehand. False or misleading breach notifications, attempts to shift blame to consumers, and public statements that contradict what a company knows privately are not just ethically questionable — they are independently actionable under California’s consumer protection statutes. An organization’s breach response plan should be designed by people who understand this. Third-party relationships create security obligations that must be actively managed. 23andMe’s awareness of the MyHeritage breach and its failure to act on that awareness is a vendor relationship management failure as much as a security failure. Organizations that encourage their users to create accounts with partner services, share data with affiliates, or integrate with third-party platforms take on a responsibility to monitor security events at those partners and respond accordingly. That responsibility does not discharge simply because the breach happened at the partner rather than the primary organization. For organizations assessing their own data security compliance posture, the 23andMe investigation checklist is a useful benchmark. Did credential stuffing defenses fail? Were coding errors in data-sharing features tested? Was there a mechanism to detect anomalous data access within the systems? Were post-breach communications reviewed by legal and privacy counsel before publication? Was the sensitivity of the data reflected in the security architecture?

The Broader Enforcement Signal

California’s enforcement action against 23andMe is part of a clear and accelerating pattern. The California AG’s office has invested significantly in privacy and data security enforcement capability and has demonstrated consistent willingness to pursue major corporations for data security failures that affect California residents. The combination of California’s CCPA, GIPA, and the state’s consumer protection statutes creates a multi-theory enforcement framework that the AG’s office has now used repeatedly and effectively. The same combination of claims — inadequate security, misleading disclosures, consumer protection violations — that appears in the 23andMe complaint has been used in other enforcement actions and will be used again. For any organization collecting health, genetic, biometric, or other sensitive personal data from California residents, the signal from this enforcement action is direct: the AG’s office is paying attention, the legal framework is well-developed, and the combination of a security failure and misleading post-breach communications is a pattern that generates both regulatory enforcement and significant reputational damage. A data security audit that identifies and closes the gaps before a breach occurs is a fraction of the cost of defending a multistate AG investigation after one. The 23andMe timeline — five months of undetected access, ransom negotiations, misleading public statements, bankruptcy, and now litigation — is a useful illustration of how quickly the cost of inadequate security compounds when it goes wrong.