Your DNA may be for sale on the dark web, and the state is suing. This legal action targets the predecessor company, 23andMe, over a devastating 2023 data breach. The lawsuit alleges the firm failed to protect the deeply sensitive genetic data of millions of users.
What Did 23andMe Fail to Do to Protect User Data?
Bonta alleged that Chrome Holding’s predecessor company, 23andMe, failed to protect sensitive customer data. The investigation revealed a critical lack of basic security measures. Specifically, the company did not implement appropriate authentication and verification measures during the login process. This failure allowed attackers to access accounts without triggering any alarms. The company essentially left the door open for intruders.
Attorney General Bonta further stated that 23andMe “lied to consumers about the severity of its 2023 data breach.” This accusation is a central pillar of the 23andme data breach lawsuit. It suggests that the company knew the scope of the damage but chose to minimize it publicly. This deception prevented users from taking timely action to protect themselves.
What Was the Unique Attack Method Used?
Here is where it gets interesting. The attack was not a sophisticated zero-day exploit or a direct hack of 23andMe’s core servers. It was a credential stuffing attack. Attackers used passwords exposed in previous, unrelated data breaches to access 23andMe accounts. Users who had reused passwords for their genetic testing accounts were the primary entry point.
This method exploits a systemic vulnerability that exists across many online services: password reuse. The attackers did not need to guess new passwords. They simply matched existing email addresses against a database of previously compromised credentials. It is a stark reminder that your weakest password often defines the security of your most sensitive accounts.
Which Groups Were Specifically Targeted in the Data Sale?
Notably, Bonta alleges the sale of 23andMe user data on the dark web was touted as belonging to AAPI and Jewish users. The attackers specifically advertised the stolen data by ethnicity and ancestry. This act weaponized genetic data, turning a privacy breach into a targeted hate crime.
Bonta described this aspect of the breach as “disturbing and incredibly dangerous.” The timing of the data sale made it even more harmful. It occurred during a period of “mounting anti-Asian American and Pacific Islander and antisemitic hate and violence.” The attackers exploited the very data that users provided to learn about their heritage.
How Did Regulators Respond to the Breach?
In response, international regulators took swift action. The UK’s Information Commissioner’s Office (ICO) fined 23andMe £2.31 million. The ICO found that the company violated UK data protection law. They concluded that 23andMe failed to put adequate measures in place to secure sensitive user data prior to the incident.
The ICO’s probe was conducted in coordination with Canada’s privacy commissioner. This regulatory collaboration highlights the global concern over genetic privacy. It also emphasizes that companies holding genetic data face scrutiny from multiple jurisdictions. The 23andme data breach lawsuit in California is another major front in this international enforcement effort.
Why Genetic Data Is Considered a ‘Special Category’ Under Privacy Laws
Under UK data protection law, genetic data is considered a special category of data. Unlike a simple email address or browsing history, your DNA reveals immutable information about you. It contains details about your health predispositions, ancestry, and biological relatives. This requires further protections and safeguards due to its sensitive nature.
The special classification imposes a higher duty of care on companies handling this data. Regulators expect stronger encryption, stricter access controls, and more transparent consent mechanisms. The 23andme data breach lawsuit argues that the company failed to meet this elevated standard. This failure directly led to the exposure of nearly seven million users.
What Does the Targeting of AAPI and Jewish Users Reveal About the Risk of Demographic Data?
Bonta described the sale of data belonging to specific ethnic groups as deeply disturbing. This incident reveals a dark potential for genetic data. When combined with metadata, DNA information can be used to identify and target specific populations. This risk is especially acute during periods of rising hate and violence.
The targeting of AAPI and Jewish users demonstrates that genetic data can be weaponized. It can be used to blackmail, harass, or discriminate against individuals based on immutable biological characteristics. This case sets a dangerous precedent for how threat actors might use genetic databases in the future.
Why Did Users Struggle to Delete Their Data After the Breach?
Adding to the complexity, users reported difficulty deleting their accounts after the company filed for Chapter 11 bankruptcy protection. As 23andMe prepared to sell itself through a court-supervised process, data deletion became a legal grey area. Users expressed concern over the prospect of insurance companies purchasing their data and using it to determine coverage.
The bankruptcy process complicated a user’s ability to control their own genetic information. Some users felt trapped, unable to remove their sensitive data from a company in financial turmoil. This frustration added to the overall sense of betrayal that followed the initial security failure.
You may also enjoy reading: Saints Row 2 DLC Finally Playable on PC.
How Does a Bankruptcy and Subsequent Rebranding Complicate Accountability?
The company was rebranded as Chrome Holding after 23andMe filed for bankruptcy. This corporate restructuring creates significant challenges for accountability. The California Attorney General’s lawsuit argues that the new company inherits the liabilities of the old one. However, legal observers note that bankruptcy proceedings can dilute or erase claims from individual users.
The rebranding makes it harder for the public to connect the current entity to the past failure. It can also create hurdles for users trying to locate the correct legal entity to sue. The 23andme data breach lawsuit aims to test whether a rebranded company can escape liability for prior data protection failures.
International Regulatory Response: Coordination Across Borders
The investigation by the ICO was conducted in coordination with Canada’s privacy commissioner. This cross-border collaboration shows how regulatory bodies are adapting to global data flows. Genetic data does not respect national borders, and neither can the enforcement of privacy laws. This coordinated response sets a precedent for how future international data breach investigations will be handled.
This global regulatory pressure may force companies to adopt the highest common denominator of data protection. A company operating in multiple countries must now satisfy the strictest regulatory framework. This is a positive development for consumers who were unsure which country’s laws protected them.
How to Check If Your 23andMe Account Was Exposed
Given the credential stuffing attack vector, proactive steps are vital. Users should first check if their email or phone number was involved in a known data breach by using a service like Have I Been Pwned. If you reused your 23andMe password on any other site, that password is now compromised.
You must change it immediately on all platforms. Enable two-factor authentication (2FA) on your 23andMe account and other sensitive accounts. Moving forward, use a password manager to generate unique, complex passwords for every site. This simple habit would have prevented the attack vector used in this 2023 data breach.
Frequently Asked Questions
What concrete steps can I take right now to check if my own 23andMe account credentials were reused elsewhere and exposed in prior breaches?
You should immediately check your email addresses on a breach notification service like Have I Been Pwned. If your credentials appear in any past breaches, change your password on every platform where you used that same combination. Enable two-factor authentication on your 23andMe account and other sensitive logins to add an extra layer of security.
How do bankruptcy proceedings change a user’s ability to request deletion of their genetic data from a company that has been sold or rebranded?
When a company files for Chapter 11 bankruptcy, its assets, including user data, are treated as assets to be sold. Deletion requests can be legally paused during this process, making it difficult for users to remove their data. It is advisable to monitor the bankruptcy proceedings and submit deletion requests once the sale concludes, as the new owner may have different data retention policies.
Why does the ICO treat genetic data differently from other personal data, and what extra protections does that law require?
The ICO classifies genetic data as a “special category” of data under UK law. This is because your DNA contains immutable and highly sensitive information about your health, ethnicity, and family. This classification requires companies to implement explicit consent mechanisms, conduct Data Protection Impact Assessments (DPIAs), and apply robust encryption and access controls before processing such data.
The 23andme data breach lawsuit represents a pivotal moment for genetic privacy regulation. It demonstrates that companies holding highly sensitive biometric data will be held to the highest security standards. For users, it serves as a critical reminder that your genetic code requires the strongest possible password hygiene and privacy protections available.
