What You Should Know About The 23andMe Breach Lawsuit

Among the most significant privacy-related legal actions, the 23andMe data breach lawsuit is one of the most important cases involving genetic information in America. The California Attorney General, Rob Bonta, has brought suit against 23andMe, which is owned by Chrome Holding Co., alleging that it failed to take adequate precautions to protect its customers’ sensitive personal data before and after the significant cyber-attack in 2023.

The case revolves around very personal information that people can provide – their genetic data (DNA), ancestry report, relatives (biologically), ethnic information, and genetically –related health risk factors. Unlike other types of data (such as passwords and bank account numbers), DNA data cannot be reversed once it has been made public. Therefore, the injury (the breach) to the victim will have implications beyond those who lost their personal genetic information in this case, affecting individuals’ privacy regarding their genetic data (DNA).

The California AG states that the 2023 incident impacted approximately 7 million users across the USA, including tens of thousands of Californians. In their lawsuit, they allege that 23andMe failed to implement basic security measures, ignored security warnings, and made misleading statements to users about the extent of the data breach.

The Chrome Holding lawsuit, a result of 23andMe’s bankruptcy and rebranding, raises further questions for customers about what might happen to their genetic data after a company merger. For privacy advocates, this lawsuit is a cautionary tale about the perils of storing DNA data with private entities; from a consumer’s viewpoint, it serves as a reminder that the convenience of a genetic test may result in serious long-term privacy implications.

What is the 23andMe Case?

The California Attorney General is suing Chrome Holdings Co., the entity that owns the former 23andMe, for failing to safeguard the sensitive information of customers who use direct-to-consumer DNA testing.

Because their saliva-based DNA kits provide users with information about their ancestry, ethnicity, genetic traits, and the likelihood of developing certain health conditions, the company gained significant notoriety. After collecting biological samples from customers, 23andMe generates reports based on their genetic information. For some customers, the report provided valuable genealogical information or insight into potential health risks; however, this information is especially valuable because of its sensitivity.

The filing alleges that the firm lacked proper security protocols to protect this data. Attacks against customer accounts and the collection of information from other linked data (including relatives’ data and DNA samples) could have occurred only due to 23andMe’s negligence, says Bonta, California’s AG.

The suit states that 23andMe deceived its customers about the security breach it suffered in 2023. This accusation is significant because businesses that handle sensitive health and genetic information are required to provide their clients prompt, complete, and clear information following a breach.

The lawsuit’s inquiry also goes beyond whether hackers had access to the client’s accounts, evaluating 23andMe’s preventive measures to thwart attacks, its actions to detect and respond to attacks expeditiously, and its representations regarding the facts of the incident.

Who Exactly is Chrome Holding and What is the Basis for the Lawsuit Filed Against the Company?

A potential source of confusion for some could be the company’s name—Chrome Holding Co. The lawsuit alleging improper use of genetic data is directed at Chrome Holding Co. because it is the successor or rebranded company of 23andMe. Upon filing for bankruptcy in 2010, 23andMe also underwent a restructuring and sale process, raising significant questions about the future of customers’ genetic data.

The term 23andMe successor “is key in order to generate search engine visibility (SEO) as well as to better comprehend the case. While customers may identify with the 23andMe brand, the legal action is directed at Chrome Holding because of these alter egos, given the company’s post-bankruptcy structure.

In addition to an innovative analysis of the history of the breach, California’s lawsuit indicates that shareholders have a longer-term concern about what happens when an organisation holding sensitive DNA content (as opposed to less sensitive data) becomes bankrupt or undergoes changes in ownership and is reorganised. If a company owns millions of genetic profiles, the consequences of a bankruptcy event or an ownership change are likely to be much more profound than merely affecting the firm’s financials; they could pose a privacy crisis.

Moreover, customers who submitted DNA samples several years ago did not expect their sensitive genetic data would be included in a court-supervised sale and/or reorganisation of their respective companies. This particular lawsuit involving Chrome Holding Co. has become a matter of great interest and monitoring to privacy lawyers, data security professionals, etc.

What Caused the 2023 Data Breach of 23andMe?

Credential stuffing is how the 23andMe breach occurred in 2023. Credential stuffing is when an attacker uses usernames and passwords from previous data breaches to attempt to log in to other accounts, assuming the victim reused the same credentials.

Credential stuffing is not new and has long been a cybersecurity issue, as many individuals use identical or similar passwords across multiple accounts. Thus, if a password from one platform is stolen, the hacker attempts to use it for several purposes: banking services, email accounts, shopping websites, and health-related services.

At 23andMe, hackers gained access to a limited number of accounts and, through those accounts, accessed connected data, exposing the accounts of many other innocent users because of the connection to the one hacker victim. This is important because DNA companies provide family-matching tools that show shared DNA percentages and connections to ancestral origins; therefore, if one individual’s account is compromised, the linked data from that account could be made available to a hacker.

According to the California Complaint, 23andMe didn’t take reasonable steps to prevent a credential stuffing attack from occurring; to prevent a credential stuffing attack from occurring, all companies should implement the following safeguards: strong authentication, monitoring of suspicious login attempts, forcing password resets after a certain period of time or after a certain amount of unsuccessful login attempts, using rate limiting, and utilizing multi-factor authentication.

What Information Was Breached?

The 23andMe customer data exposed in the breach included highly sensitive personal information. It is alleged that the exposed information includes ancestry and ethnicity information, biological relatives, health reports, genetic traits, and genetic predisposition data.

This type of information is not the same as your average personal information. A stolen email address can be changed. A compromised password can be reset. A cancelled credit card can be replaced. However, DNA is permanent and can reveal information about family members even if they never sign up for the service.

This is part of why breaches of ancestry data and the exposure of biological relatives’ data are very concerning; DNA information is not only individual but also relational. One person’s DNA can provide inferences about their parents, siblings, children, and even further back in family ancestry.

The lawsuit has raised questions about whether 23andMe data was sold on the dark web. Reports and allegations have indicated that information stolen in the breach has been sold online, including that of many AAPI and Jewish users, who have been specifically referenced. The targeting of these two ethnic and genealogical groups makes the case of the theft of the information even more concerning during this time of increased concerns about hate and discrimination.

Why Genetic Data Privacy Matters

The importance of Genetic Data Privacy is evident in the 23andMe data breach lawsuit, which highlights the unique risks of Genetic data.  DNA data can show you your ethnic ancestry, biological connections with family, possible health risks, genetic traits, and other family connections. Genetic data can also be used in ways customers do not understand at the time of purchasing a testing kit.

Genomic data privacy is important for four main reasons.

• The genetic information is permanent and cannot be changed by the user once compromised.
• The upload of a user’s genetic data can reveal information about family members, even if they did not provide any data to the testing kit provider.
• Genetic information can have value in future user analysis, customer research, potential health or life insurance policy costs, marketing, and may be beneficial to law enforcement, hackers, and data aggregators. Even if a company states that the user’s data is private, it cannot guarantee that the user will accept future use of that data.
• The use of genetic testing may reveal ethnicity or ancestry in a way that increases the risk for a particularly vulnerable segment of the population. The alleged sale of ‘data’ tied to the Aisan American and Jewish community has demonstrated how stolen Genetic data can be misused.
• Genetic data is more likely to become difficult to access due to a company’s bankruptcy, the sale of a business entity, or a merger. Customers may not know whether their consent agreement is in effect after a transfer of ownership or a merger.

This is the main reason the 23andMe Privacy Concerns have been ongoing for quite some time: an initial breach. The lawsuit recently filed against them raises a larger question: whether companies should be allowed to access sensitive DNA data and retain it indefinitely unless they can clearly demonstrate that they use the highest possible security measures to protect it.

Rob Bonta 23andMe Lawsuit: What California Is Alleging

Rob Bonta has filed a lawsuit against 23andMe in California, alleging that 23andMe was noncompliant with the California Consumer Privacy Act and California’s consumer protection statutes regarding the protection of personal information.

The California State Attorney General, Rob Bonta, argues that 23andMe has collected highly private and personal genetic data but does not adequately protect it. The state contends there was a failure in data protection procedures, a failure to investigate, report, and respond to security breaches, and a failure to inform consumers in a timely manner.

Aside from seeking both penalties and restraining orders to prevent further violations of the law, the outcome of the case may influence how other companies build security systems, report security breaches, and continue to handle consumer information.

For California, the case is about accountability, and for the entire DNA Testing industry, this lawsuit may be a very clear signal that genetic data requires higher levels of protection than does regular consumer data.

The Dark Web’s Involvement in the 23andMe Breach

One of the most shocking details surrounding the 23andMe incident is the potential sale of user information on the “dark web.” The “dark web” has long been a place where stolen data and credentials from hacked systems are sold or traded, including login credentials, credit/debit card numbers, Social Security numbers, and more.

In particular, the alleged promotion of certain 23andMe users’ data on the dark web based on their ancestry or ethnicity is particularly concerning. This adds to the seriousness of the breach as it implies that stolen genetic data could be used not only to commit identity theft and credit card fraud, but also for the purposes of profiling, making threats and/or harassing victims, discrimination and targeted physical abuse of those people.

The dark web sale of user data is problematic in another way: once data appears on the dark web, it is virtually impossible to completely erase it from those sites. Even if 23andMe improves its security infrastructure and processes as a result of this incident, the stolen user data will likely remain on the dark web.

For many of the affected customers, uncertainty about their data will persist for years. They cannot be certain who currently has their data, how it may be used, or whether it may fall into the hands of a future criminal or other persons who could misuse it.

Concerns about Deleting Accounts & 23andMe Bankruptcy

The recent bankruptcy of 23andMe has raised concerns among customers about the deletion of their accounts and their genetic data. Following the bankruptcy filing, many customers attempted to delete their accounts or remove their genetic data. Customers have expressed concerns that their information could be transferred to a buyer in the sale of the company.

These concerns are valid; generally, when a genetic testing company performs testing, it does so by maintaining Account Information, as well as biological samples, raw DNA files, ancestry reports, research consents, and family matching data. Sometimes a company is sold, and customers may wonder whether their original consent will follow the data and apply to the new owner.

The deletion of accounts at 23andMe ultimately served as a significant catalyst for change in customer control over their data; more generally, with respect to privacy and confidentiality, the deletion of personal data represents one of the highest degrees of ownership over one’s private data. However, deleting genetic materials can be complicated because they may be embedded deeply within a complex data system and/or may have been shared with others, backed up, used in research, or otherwise associated with other users through relatives.

The current litigation by customers is adding pressure on all such companies to make the process for deleting account information more transparent, straightforward, and reliable.

International Scrutiny and the ICO 23andMe Fine

International attention has focused on the breach at 23andMe. The breach has attracted scrutiny from global regulators (including the ICO, which fined 23andMe in the UK), who have also classified the incident as a serious violation of data protection law.

According to UK law, genetic information is regarded as a unique and highly sensitive form of personal information, which means that 23andMe had no alternative but to take appropriate measures to keep the data secure before the breach occurred.

Because many DNA testing companies operate globally and provide their products and services to customers in multiple countries, a breach at one company could trigger multiple investigations across multiple legal systems. Therefore, companies need to comply with the companion US regulatory environment, in addition to other global regulations.

The actions taken by various global data regulators regarding 23andMe reinforce that genetic information is more than just consumer data and that regulators’ expectations will continue to increase, requiring those who manage such information to do so with the highest level of care possible.

Consequences for 23andMe Users

The lawsuit has left current and former customers with significant uncertainty about what to do with their accounts. Customers might want to:

• Review account settings
• Reset password
• Enable two-factor Authentication
• Determine what data is currently stored in their accounts.
• Learn about their ability to delete their data.

Anyone who has used the same password for 23andMe and another website should immediately change their password, as criminals often use a technique called credential stuffing to access multiple accounts with stolen credentials.

In addition to the above suggestions, customers should consider whether they are comfortable with having their genetic information stored by a company that tests for genetic predispositions, as many people value genealogical and genetic health testing, while others may find the potential loss of privacy too great a risk.

The most important part of this decision is that customers make it fully informed. Customers will be expected to take responsibility for understanding how their genetic data is retained, for how long, and whether it will be retained after the company ceases operations, unless specific circumstances prevent deletion.

The DNA Testing Industry’s Future Following The Security Breach

The security breach affecting DNA testing data may lead to more stringent regulations on how DNA testing services handle customers’ DNA, as companies that use DNA-based information face greater expectations to meet customer or regulatory standards. Customer pressures may also lead companies to use multi-factor authentication by default, limit the data-sharing features available to customers, improve breach detection, and implement clearer methods for customers to control their privacy regarding their DNA and its use by DNA collection services.

The way companies communicate risks to their customers is likely to be affected as well. DNA testing companies tend to market themselves on the basis of discovery, connection, and health insight; however, they also have an obligation to clearly articulate and communicate any potential privacy risks, as they would the products they sell.

If regulators successfully hold Chrome Holding liable, genetic testing companies will likely view this case as a warning and will need to demonstrate that they are adequately prepared for the normal cybersecurity risks, as well as the additional responsibilities that come with storing permanent biological data.

Advice for Users of DNA Tests

There are several lessons from the 23andMe incident that can be applied to consumers in general.

• Use different passwords across different accounts.
• Always use two-factor authentication (or other forms of additional security) when they are available.
• Be very careful about uploading your DNA to an online database.
• Review the privacy policies for any research you agree to participate in.
• Verify if you can request the deletion of your DNA specimen or delete personal information related to your DNA.
• Be aware that genetic testing can reveal information regarding your family members as well.

Be aware of changes in company ownership, bankruptcy filings, or other major changes at establishments you do business with.

These suggestions do not eliminate all the risks involved, but will significantly minimise your risk exposure if you treat all your DNA test accounts the same as any other accounts – i.e., financial, medical, or identity accounts.

Conclusion

The lawsuit against 23andMe for the data breach is a major legal case concerning genetics, consumer privacy and trust, and DNA data storage.

The California AG is currently suing the owner of 23andMe, Chrome Holding, for failing to protect customer data from compromise during the data breach, failing to act on warning signs of the hack, and misrepresenting the extent to which 23andMe stores and shares user information.

The lawsuit follows a data breach affecting nearly 7 million customers and comes at a time when many people are concerned about bankruptcy, the deletion of their accounts, the sale of their accounts on the dark web, and genomic data privacy.

For consumers, your DNA is a powerful, eternal, and personal part of you. At TopTrendingHub, for companies: if your business uses DNA, it is your responsibility to protect consumers’ DNA to the highest possible standard.

As the lawsuit proceeds, it could influence the future of genomic testing, data privacy law, and consumer rights in the digital health industry.

FAQs

1. What is the 23andMe data breach lawsuit?

The 23andMe data breach lawsuit, filed by California Attorney General Rob Bonta, is against Chromosome Holding Co., the successor to 23andMe. He alleges they did not adequately safeguard sensitive personal and genetic information released during the 2023 data breach.

2. Who is suing the 23andMe successor, Chrome Holding?

The California Attorney General, Rob Bonta, is suing Chrome Holding Co., formerly known as 23andMe. He alleges that they violated laws protecting consumer privacy and security, including those governing the protection of genetic data.

3. What type of genetic information was compromised during the 23andMe data breach?

The types of genetic information that may have been compromised include ancestry information, ethnic identity, information identifying biological relatives, health reports, genetic predispositions to health issues, and other sensitive information regarding 23andMe customers.

4. How did the 23andMe data breach occur?

According to reports, the 23andMe data breach resulted from credential stuffing: hackers used usernames and passwords from prior breaches to gain access to 23andMe accounts. Then hackers gained access to information about additional customers who had connected to the different aspects of the service.

5. Why is the privacy surrounding genetic data so significant?

The importance of privacy regarding an individual’s genetic data stems from the fact that DNA cannot be altered. DNA data can reveal health risks, ancestry, race, and family relationships. But it can also expose relatives who never participated in the testing.

6. How much of a role did the dark web play in the 23andMe incident?

Reports and other sources indicate that 23andMe user data has been listed for sale on the dark web. Additionally, some reports show that some of the listings contained information pertaining to AAPI and Jewish users, indicating that the data could be misused and possibly even illegally discriminated against.

7. What should 23andMe users do now?

Users are encouraged to change their password, avoid reusing old logins, enable two-factor authentication, review privacy settings, investigate account deletion, and decide whether they want to continue having their genetic information stored with the organisation.