LOS ANGELES -- California's lawyer wide sued the familial investigating institution formerly known arsenic 23andMe connected Thursday, alleging it failed to support delicate idiosyncratic information successful a 2023 breach that affected astir 7 cardinal radical crossed the country.
Attorney General Rob Bonta filed the suit against Chrome Holding Co., which 23andMe rebranded nether aft filing for bankruptcy past March. 23andme is known for its direct-to-consumer DNA trial kits that provided customers accusation connected their ancestry and familial predispositions for definite wellness conditions.
The suit calls for assorted civilian penalties against 23andMe and injunctions blocking the institution from further violations of California’s privateness extortion laws.
The institution has acknowledged that it suffered a large information breach successful 2023 that resulted successful astir 14,000 accounts accessed, done which they were capable to bargain the information of astir 7 cardinal customers. The cyberattack utilized “credential stuffing," which takes vantage of customers' inclination to usage anemic oregon communal passwords oregon reuse passwords betwixt aggregate accounts.
Bonta's bureau said this was a well-known onslaught that businesses should cognize to defender against. The attackers utilized stolen idiosyncratic relationship credentials including ones from a monolithic information breach successful October 2017 that affected MyHeritage, 1 of 23andMe’s erstwhile partners. After that breach, 23andMe did not instrumentality communal protocols specified arsenic asking customers to reset their passwords oregon usage multifactor authentication.
23andMe did not instantly respond to an emailed petition for comment.
“23andMe’s information measures were truthful lax that the menace histrion was capable to run undetected wrong 23andMe’s systems for implicit 5 months, and remarkably, 23andMe lone began investigating aft the menace histrion offered the stolen idiosyncratic information for merchantability connected the acheronian web and reached retired to 23andMe to request a ransom,” prosecutors said successful the complaint.
In October 2023, the stolen information appeared for merchantability connected the acheronian web, with the poster specifically touting that astir 1.1 cardinal consumers’ information belonged to Asian-Pacific Islander and Ashkenazi Jewish users.
“The merchantability of this information connected the acheronian web took spot amidst a play of mounting anti-Asian American and Pacific Islander and antisemitic hatred and violence,” Bonta said successful a property release. “This is disturbing and incredibly dangerous.”
Some of the information stolen included earthy familial data, wellness reports, DNA shared with different relatives, and locations and commencement years of relatives.
The suit says that aft notifying the nationalist astir the breach, 23andMe continued to mislead consumers astir the severity of the breach and the company's relation successful it.
The institution has said it lone recovered retired astir the breach successful October 2023 erstwhile the stolen information was posted for merchantability connected the acheronian web. However, the suit said the institution failed to decently analyse reddish flags that appeared months earlier, specified arsenic a “suspicious spike successful idiosyncratic login attempts” successful July and a Reddit station discussing a imaginable breach and merchantability of idiosyncratic information successful August.
Genetic information requires “one of the highest levels of protection” and California instrumentality “mandates a heightened ineligible obligation” to support it, the suit said.
Bonta besides intervened to guarantee customers' familial information wouldn't beryllium mishandled during 23andMe's Chapter 11 bankruptcy and plus sale, arguing that California's Genetic Information Privacy Act required companies to get opt-in consent from customers earlier selling their familial accusation to 3rd parties. However, the merchantability was allowed to proceed.
In 2024, 23andMe agreed to wage a $30 cardinal colony successful a class-action suit accusing the institution of failing to support customers whose idiosyncratic accusation was exposed successful the breach. The magnitude was raised to $50 cardinal to resoluteness astir U.S. lawsuit claims and received last support successful January by a national justice overseeing 23andMe's bankruptcy.
English (CA) · 
English (US) · 
Spanish (MX) ·