California Attorney General Sues 23andMe Over Massive 2023 Data Breach

The intersection of personal genetics and digital security has reached a critical boiling point. California Attorney General Rob Bonta has officially filed a lawsuit against 23andMe, the genetic testing giant, alleging the company failed to adequately protect the sensitive biometric and personal data of approximately 6.9 million users during a significant security breach that occurred in late 2023.

This legal action marks a pivotal moment in the debate over how biotechnology firms handle the most intimate data points imaginable: our DNA. As we entrust companies with our ancestral history and health predispositions, the consequences of a security lapse extend far beyond a typical password reset.

The Anatomy of the 23andMe Security Breach

The breach, which became public in October 2023, was not a direct hack of 23andMe’s primary database. Instead, attackers utilized a technique known as “credential stuffing.” By using usernames and passwords stolen from other platforms where users had reused their credentials, unauthorized actors gained access to individual accounts.

Crucially, once these accounts were compromised, the attackers exploited the “DNA Relatives” feature. This tool allowed them to scrape data from the accounts of millions of other users who had opted into the service. The exposed information included ancestry reports, health-related data, and identifying details such as names, birth dates, and location information. For many users, this data is permanent—you cannot change your genetic code as you would a compromised credit card number.

Allegations of Negligence

The lawsuit brought by the California Department of Justice alleges that 23andMe failed to implement reasonable security measures to prevent such a widespread exfiltration of data. Key accusations include:

• Failure to Enforce Multi-Factor Authentication (MFA): The state argues that 23andMe did not mandate MFA for all users, despite knowing the risks associated with credential stuffing.
• Inadequate Monitoring: The company allegedly failed to detect the unauthorized scraping of millions of profiles for several months.
• Delayed Notification: Critics and regulators have raised concerns regarding the time it took for the company to fully disclose the scope of the breach to affected customers.

In response to the lawsuit, 23andMe has maintained that it takes data privacy seriously and has implemented additional security enhancements since the incident. However, the legal challenge suggests that current regulatory standards for genetic data protection may need to be significantly more stringent to prevent future catastrophes.

Key Takeaways for Users

For those concerned about the safety of their genetic data, the situation serves as a stark reminder of the digital risks associated with personal health services:

• Credential Hygiene: Never reuse passwords across different platforms. Using a dedicated password manager is the most effective defense against credential stuffing attacks.
• Enable MFA: If a service offers multi-factor authentication, always enable it. It serves as a vital secondary barrier even if your password is leaked elsewhere.
• Data Minimization: Review the privacy settings of your genetic testing accounts. Opt out of features like “DNA Relatives” or public sharing if they are not essential to your use of the platform.

Frequently Asked Questions

What specific data was exposed in the 23andMe breach?

The exposed data included names, birth dates, ancestry reports, and in some cases, health-related genetic information. The extent of the exposure varied depending on the settings of the individual accounts accessed.

Can I delete my data from 23andMe?

Yes, users can request the deletion of their account, and data. However, be aware that companies are often legally required to retain certain records for regulatory and tax purposes, and deletion requests may not remove data that has already been shared or scraped.

Is this the only lawsuit 23andMe is facing?

No. Following the 2023 breach, the company has faced a wave of class-action lawsuits from users across the United States who claim the company failed in its duty of care to protect highly sensitive biological information.

The Future of Genetic Privacy

The lawsuit against 23andMe is a bellwether for the biotech industry. As genetic testing becomes increasingly mainstream, the regulatory environment is shifting from a “self-regulated” model to one of strict oversight. Consumers must demand higher standards of security from companies that profit from their biological blueprints. Moving forward, we should expect more robust legislative frameworks, potentially mirroring the strictness of the Health Insurance Portability and Accountability Act (HIPAA), to cover consumer-facing genetic platforms.