California AG sues 23andMe successor over 2023 data breach
California’s top prosecutor has filed suit against Chrome Holding, alleging the company inherited a preventable 2023 data breach. The case centers on claims that genetic data of over 6 million users was left exposed due to inadequate security measures.
California Attorney General Rob Bonta announced legal action Thursday against Chrome Holding, the parent company of the once-dominant DNA testing firm 23andMe, over a cascading data breach that exposed the genetic profiles of more than 6 million users in 2023.
📋 By The Numbers
- 6.9 million — Number of unique user profiles compromised in the 2023 breach
- $4.2 billion — Estimated market capitalization of 23andMe at the time of the breach
- 18 months — Duration between initial breach discovery and public disclosure
The lawsuit, filed in San Francisco County Superior Court, alleges that 23andMe’s failure to implement basic cybersecurity safeguards allowed hackers to harvest sensitive genetic data, including health predispositions, family lineage, and raw DNA sequences. Bonta’s office argues that Chrome Holding, which acquired 23andMe in a $3.5 billion deal in February 2024, now bears legal responsibility for the oversight.
According to court filings, compromised data included ancestry reports, raw genetic data, and health trait assessments. The breach was first detected in October 2023 but was not publicly disclosed until April 2024, a delay that Bonta’s office calls ‘inexcusable and legally indefensible.’
💡 Pro Tip
Companies handling genetic data must prioritize encryption at rest and in transit, along with multi-factor authentication for all internal systems. Regulatory bodies worldwide are scrutinizing DNA firms post-breach, making compliance a non-negotiable priority.
The lawsuit seeks civil penalties, injunctive relief to prevent future breaches, and restitution for affected users. It also demands Chrome Holding implement a comprehensive data security audit under court supervision for the next five years. Legal experts suggest this case could set a precedent for how successor companies are held accountable for inherited data breaches.
| Security Protocol | 23andMe (Pre-Breach) | Post-Breach Standards |
|---|---|---|
| Data Encryption | Partial, inconsistent | Full AES-256 encryption mandated |
| Access Controls | Basic password protection | Role-based access, MFA required |
| Breach Response | Delayed disclosure | 72-hour notification window imposed |
Chrome Holding has not publicly responded to the lawsuit but issued a statement calling the allegations ‘outdated and misleading,’ emphasizing that they acquired 23andMe after the breach occurred. The company’s legal team is expected to argue that the 2023 incident falls outside their operational control.
Key Points
- ✅ California AG sues Chrome Holding over inherited 23andMe breach
- ⚡ Over 6.9 million user profiles compromised, including genetic data
- 💡 Lawsuit seeks civil penalties, mandatory security audits, and restitution
Legal analysts note that Bonta’s aggressive stance reflects a broader crackdown on corporate negligence in handling biometric data. The case adds to a growing list of high-profile data breaches in the health and genetic testing sectors, including recent actions against Ancestry.com and MyHeritage.
- 📊 The 6.9 million compromised profiles represent 80% of 23andMe’s active user base at the time
- 🔍 Hackers reportedly exploited a vulnerability in 23andMe’s API, allowing mass data extraction
- ⚠️ California’s privacy laws, including the CCPA, impose strict penalties for negligent data handling
The lawsuit underscores the urgent need for genetic testing companies to fortify their cybersecurity frameworks. With the global DNA testing market projected to reach $22 billion by 2027, regulators are tightening scrutiny on how these firms protect the most intimate personal data—genetic code.