CALIFORNIA SUES 23ANDME OVER 7M-PERSON DATA BREACH

Attorney General Rob Bonta's lawsuit claims 23andMe neglected to implement reasonable security measures that would have prevented unauthorized access to sensitive genetic and health information. The breach, discovered in 2023, exposed personal data belonging to millions of customers nationwide. The complaint alleges that 23andMe's security failures violated California consumer protection laws. According to Bonta's office, the company failed to use adequate safeguards such as stronger password requirements and additional security protections despite knowing the risks associated with storing genetic data. 23andMe confirmed the breach last year, initially indicating that hackers accessed account information through credential stuffing attacks, where bad actors use previously compromised usernames and passwords to gain entry to accounts. The company subsequently revealed that some users' genetic ancestry data had also been exposed. The lawsuit seeks penalties and damages on behalf of affected California residents. It represents one of several legal challenges the genetic testing company has faced following the breach. The case highlights ongoing tensions between data-intensive tech companies and regulators over security practices. Genetic testing services collect some of the most sensitive personal information available—DNA data that can reveal family relationships, ancestry, and potential health risks. Such information requires heightened protection standards compared to typical consumer data. 23andMe did not immediately respond to requests for comment on the lawsuit. The company has previously stated it takes security seriously and has implemented improvements to its systems following the incident. The litigation underscores regulatory scrutiny of how companies handle biometric and genetic information, particularly in California, where privacy protections have become increasingly stringent in recent years.