California's Attorney General, Rob Bonta, has initiated legal action against Chrome Holding Co., previously known as 23andMe, due to allegations of inadequate protection of customer personal information in a significant data breach. This breach, which occurred in 2023, compromised the sensitive data of nearly 7 million individuals, including ancestry and genetic information.
The lawsuit was filed on Thursday in San Francisco Superior Court, where Bonta claimed the company ignored multiple alerts about security vulnerabilities. The breach was executed through a "credential-stuffing attack," allowing hackers to infiltrate accounts using stolen credentials from other incidents. The attackers accessed personal data over a span of months, remaining undetected until they attempted to sell the information on the dark web.
In October 2023, 23andMe disclosed that hackers had accessed customer data, notably targeting users with Chinese or Ashkenazi Jewish ancestry. The data of over 1 million users from these groups was later found for sale online. Bonta highlighted the troubling context of rising hate and violence against these communities in his press release.
A separate lawsuit in January 2024 accused the company of insufficient customer protection and failure to notify affected individuals promptly. This lawsuit concluded with a settlement of $30 million.