California Attorney General Initiates Lawsuit Against Chrome Holding
California Attorney General Rob Bonta announced plans to sue DNA testing company Chrome Holding following an investigation on Thursday. The probe alleges that Chrome Holding's predecessor, 23andMe, failed to adequately protect sensitive customer data.
Bonta attributed the failure to a 2023 data breach that compromised the genetic predispositions and risk factors of nearly seven million users. The breach also exposed information related to biological relatives, ancestry, and ethnicity.
"Our investigation found that the company failed to take basic steps to protect users' data,"
said Bonta, who further stated that 23andMe "lied to consumers about the severity of its 2023 data breach."
The BBC has reached out to Chrome Holding for comment.
The company underwent rebranding after 23andMe filed for bankruptcy last year.
Concerns Over Data Sale and Targeted Communities
Bonta also alleges that threat actors sold 23andMe user data on the dark web, specifically highlighting that the data belonged to Asian American Pacific Islanders (AAPI) and Jewish users.
"This is disturbing and incredibly dangerous"
he said, emphasizing the timing amid "mounting anti-Asian American and Pacific Islander and antisemitic hate and violence."
The breach involved a "credential stuffing" attack, where hackers used passwords exposed in prior breaches to access 23andMe accounts where users had reused similar credentials.
International Regulatory Actions and Fines
The 2023 data breach has attracted scrutiny from international regulators.
In the previous year, the Information Commissioner's Office (ICO), a UK regulatory body, fined 23andMe £2.31 million. The ICO alleged that the company failed to implement sufficient measures to secure sensitive user data before the breach.
The ICO reported that personal data of 155,592 UK residents was accessed during the incident.
23andMe has stated it has "made several binding commitments to enhance protections for customer data and privacy."
Under UK data protection laws, genetic data is classified as a special category requiring additional safeguards due to its sensitive nature.
The ICO's investigation, conducted in coordination with Canada's privacy commissioner, found that 23andMe violated UK law by not implementing adequate authentication and verification procedures during customer login processes.
Account Deletion Issues and Bankruptcy Proceedings
Last year, 23andMe faced further scrutiny when users reported difficulties deleting their accounts following the company's Chapter 11 bankruptcy filing. The bankruptcy was part of a court-supervised process to facilitate the company's sale.
At that time, some users expressed concerns about the possibility of insurance companies acquiring their data and using it to influence coverage decisions.
Company Background and Notable Customers
23andMe was co-founded by Anne Wojcicki, who is the sister of the late YouTube executive Susan Wojcicki and the ex-wife of Google co-founder Sergey Brin.
The company previously counted celebrities such as Snoop Dogg, Oprah Winfrey, and Eva Longoria among its customers. Its share price reached over $300 at its peak before declining sharply in 2024.
for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? here.
