|
Getting your Trinity Audio player ready...
|
The California attorney general is suing genetic-testing company 23andMe, which was previously headquartered in Mountain View and is now based in Palo Alto, for a 2023 data breach that impacted nearly 7 million users.
In his suit, Attorney General Rob Bonta alleges that 23andMe, which changed its official name to Chrome Holding Co. last year, failed to adequately protect sensitive personal information and genetic data. The company then misled customers about a 2023 data breach that occurred over a period of five months, according to a Thursday press release.
According to the complaint, customer information was offered for sale on the “dark web” by unauthorized agents who touted that the data belonged to Asian-Pacific Islander and Jewish users. This occurred at a time of escalating anti-Asian and antisemitic hate and violence.
“23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe and then lied to consumers about the severity of its 2023 data breach,” Bonta said in the press release. “Our investigation found that the company failed to take basic steps to protect users’ data – data including the sensitive personal information, family histories, and health conditions of consumers.”
Founded in 2006, 23andMe was the first company to sell DNA sequencing kits directly to consumers. It quickly rose to prominence before facing financial hardships and filing for bankruptcy last year.
The 23andMe Research Institute, which acquired 23andMe’s assets last year in a bankruptcy auction, said in a statement that it is a “newly established independent nonprofit organization” that isn’t involved in the lawsuit.
“The lawsuit pertains to events and operations associated with the former commercial entity prior to the creation of the 23andMe Research Institute,” spokesperson Tracy Keim said in the statement. “The institute was not involved in the complaint and has no role in the underlying litigation.”
The data breach
In 2023, 23andMe confirmed that it had experienced a major data breach in which 14,000 accounts had been hacked, with unauthorized agents gaining access to the sensitive information of 7 million customers, including more than 850,000 Californians, according to Bonta.
The data breach involved a type of cyberattack called “credential stuffing,” in which unauthorized agents collect sensitive information from businesses by finding weak and common passwords that customers tend to use to log into their accounts, according to the press release.
According to Bonta, the hackers accessed the company’s system first by using account credentials stolen in other data breaches, including from MyHeritage, another genealogy site that had partnered with 23andMe. The security breach at MyHeritage was well-publicized, but 23andMe did not check or prevent credential reuse, Bonta said.
The agents then used a “vulnerability involving a critical coding error in ‘DNA Relatives’ – a feature that allowed DNA-related customers to share information and contact each other – to steal additional identifying information, ancestry reports and reports indicating the percentage of DNA shared with potential relatives,” Bonta said.
News about the cyberattack was only made public after the data of 1 million customers was offered for sale on the dark web, according to Bonta.
That same year, the California Department of Justice conducted an investigation and concluded that 23andMe’s data security procedures, prior to the breach, “fell below security and industry standards,” despite the company touting its security practices as meeting the “highest industry standards,” according to Bonta’s press release. Additionally, 23andMe “omitted key information in an effort to hide and downplay” the severity of the breach and the company’s responsibility for it, the release said.
“23andMe continued to inform consumers that there was no data security incident within its systems, despite being informed by the threat actor during ransom negotiations of multiple exploitable vulnerabilities within 23andMe’s systems,” Bonta said.
The lawsuit alleges that 23andMe violated multiple laws, including California’s Genetic Information Privacy Act, Reasonable Data Security Law, False Advertising Law, Unfair Competition Law and the California Consumer Privacy Act.
