California has filed a lawsuit against genetic testing company 23andMe, alleging that the company failed to protect the personal data of millions of users in a 2023 data breach. The lawsuit, announced by California Attorney General Rob Bonta, accuses 23andMe of violating state consumer protection and privacy laws.
Details of the Breach
The breach, which came to light in October 2023, exposed the personal information of approximately 6.9 million users. Hackers gained access to user data, including names, birth years, and genetic ancestry information. The compromised data was reportedly sold on dark web forums.
According to the lawsuit, 23andMe failed to implement adequate security measures to prevent the breach. The company also allegedly misled users about the level of protection afforded to their sensitive genetic data.
Legal Allegations
The state of California is seeking civil penalties and injunctive relief. The lawsuit claims that 23andMe violated the California Consumer Privacy Act (CCPA) and the state's unfair competition law. Attorney General Bonta stated that companies handling sensitive data must be held accountable for security failures.
23andMe has defended its actions, stating that the breach was a result of a credential-stuffing attack, where hackers used passwords stolen from other sites. The company has since enhanced its security protocols and urged users to enable two-factor authentication.
Impact on Users
The breach has raised significant concerns about the privacy of genetic data. Users whose information was exposed face risks of identity theft and genetic discrimination. Privacy advocates have called for stronger regulations to protect biometric data.
The lawsuit is part of a broader push by California to enforce privacy laws in the tech industry. The case could set a precedent for how companies handle genetic and other sensitive personal information.
