California AG sues 23andMe’s new owners over 2023 breach

What happened

In May 2023 a cyber‑criminal known only as Golem posted a dump of DNA records that it claimed to have stolen from the popular consumer genetics service 23andMe. While the initial intrusion affected roughly 14,000 accounts, the company’s “DNA Relatives” feature allowed the attacker to map family‑tree connections and extrapolate data for nearly 7 million users. The breach went undetected for five months, during which the attacker performed credential‑stuffing attacks and later demanded a ransom to delete incriminating files and share details of the vulnerabilities exploited.

Legal basis for the suit

The California Attorney General’s complaint rests on several statutory provisions:

• California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) – both require businesses that collect “personal information” (including genetic data) to implement reasonable security measures and to disclose breaches to consumers within 30 days. The AG alleges that 23andMe failed to meet the “reasonable security procedure” standard and delayed notification.
• California’s data‑security law (SB 327) – mandates encryption of personal data at rest and in transit, as well as regular security testing. The suit claims the company stored raw DNA files without adequate encryption and did not perform timely vulnerability assessments.
• Federal Trade Commission Act – the AG asserts that 23andMe’s misleading statements about the breach constitute an unfair and deceptive practice, violating the FTC’s prohibition on false advertising of privacy safeguards.
• General Data Protection Regulation (GDPR) – because 23andMe processes data of EU residents, the breach also triggered GDPR obligations, including the 72‑hour breach‑notification rule and the requirement to conduct a Data Protection Impact Assessment (DPIA). The complaint points to the company’s failure to conduct a DPIA for the “DNA Relatives” feature, a clear breach of Article 35.

Impact on users and the company

For consumers

• Genetic privacy – DNA reveals health predispositions, ancestry, and family relationships. Exposure can lead to discrimination in employment or insurance, even though the Genetic Information Nondiscrimination Act (GINA) offers limited protection.
• Psychological harm – knowing that intimate family data may be publicly searchable can cause distress, especially for communities already targeted by hate crimes.
• Loss of trust – many users signed up for 23andMe’s “fun insights” under the assumption that their genetic material would be kept confidential. The lawsuit highlights how that trust was breached.

For the business

• Financial exposure – The UK Information Commissioner’s £2.3 million fine in 2025, a $30 million class‑action settlement in 2024, and now the California suit could push the successor entity into further liability.
• Operational changes – Chrome Holding Co. must now overhaul its security architecture, implement mandatory two‑factor authentication (2FA) for all accounts, and encrypt raw genomic files using industry‑standard AES‑256.
• Reputational damage – The public statements from the AG describing the breach as “disturbing” and “dangerously personal” have already led to a dip in user sign‑ups and heightened scrutiny from investors.

What changes are required

1. Immediate security upgrades – Deploy end‑to‑end encryption for DNA data, enforce 2FA, and adopt continuous monitoring tools that can detect credential‑stuffing attacks within minutes.
2. Breach‑notification compliance – Issue a clear, plain‑language notice to all affected users within the 30‑day CCPA window, detailing the specific data exposed and steps for mitigation.
3. Data‑protection impact assessment – Conduct a GDPR‑style DPIA for any feature that links users to relatives, documenting the risk to third‑party privacy and the mitigation measures.
4. Audit and third‑party verification – Engage an independent security auditor to certify compliance with SB 327, CCPA/CPRA, and GDPR, and publish the audit results to restore consumer confidence.
5. Policy overhaul – Rewrite privacy notices to stop down‑playing the sensitivity of genetic data and to eliminate any language that shifts blame onto users.

Broader regulatory implications

The AG’s action signals a shift toward stricter enforcement of biometric‑data protections. California’s recent BIPA‑style amendments (effective 2026) expand the definition of “biometric information” to include DNA, meaning future violations could attract statutory damages of up to $1,500 per record. Companies handling genetic data will need to treat each genome as a high‑value personal identifier, similar to a passport number.

What this means for you

If you used 23andMe before July 2025, you should:

• Review the latest security settings on your account and enable 2FA.
• Monitor credit reports and health‑insurance statements for any unusual activity.
• Consider requesting a copy of your genetic data under CCPA’s right of access, then delete it if you no longer wish to retain it with the service.

Looking ahead

The lawsuit is still in its early stages, but it sets a precedent for holding genetics companies accountable under both state and international privacy regimes. As regulators tighten the net around biometric data, consumers can expect more robust safeguards—provided companies act before courts force them to.

---

This article was prepared by the Digital Rights Watchdog team, drawing on the California AG’s filing, the UK ICO’s fine notice, and public statements from the 23andMe Research Institute.