23andMe Faces New Legal Action Over Data Security Failures
23andMe accused of failing to protect – California’s Attorney General Rob Bonta has initiated a lawsuit against 23andMe, accusing the genetic testing company of inadequate measures to safeguard user data during a significant security breach. The legal action was filed Thursday in the San Francisco Superior Court, targeting Chrome Holding Co., the corporate entity under which 23andMe operated during its recent bankruptcy proceedings. This new claim follows reports that hackers exploited the company’s systems for five months in 2023, gaining access to sensitive information tied to nearly seven million customers.
A Breach That Left Millions Vulnerable
The lawsuit alleges that 23andMe failed to detect or respond to the breach promptly, despite identifying over one million login attempts to a single account within a single day. According to court filings, the company did not take immediate action to secure its systems, allowing unauthorized access to persist. This incident has raised concerns about the protection of genetic data, which includes detailed health profiles and ancestry records, potentially exposing users to privacy risks and identity theft.
“At the time of the breach, 23andMe stated that customer profile information shared through the DNA Relatives feature had been accessed without proper authorization,”
The DNA Relatives feature, a tool that enables users to connect with potential family members based on genetic data, became a focal point of the allegations. The company’s failure to secure this feature, combined with its delayed response, has led to accusations of negligence. Moreover, the lawsuit highlights how 23andMe minimized the severity of the breach, claiming that it had implemented all necessary safeguards to protect user data while hackers were already selling information on the dark web.
The Sale and Reorganization of 23andMe
During its bankruptcy process, 23andMe underwent a reorganization, with Chrome Holding Co. serving as its legal entity. In July 2023, the bankruptcy court approved the sale of the company to TTAM Research Institute, a nonprofit organization founded by 23andMe’s former CEO Anne Wojcicki. This transition marked a shift in the company’s ownership structure, though it did not resolve the ongoing data security issues.
Founded in 2006 in San Francisco, 23andMe has long been a trailblazer in consumer genetic testing. Its DNA kits, which require a saliva sample to extract genetic material, offer users insights into their ancestry and health risks. Despite its innovative approach, the company has faced persistent challenges in achieving profitability. The 2023 breach appears to be a critical moment in its ongoing struggles, with legal consequences now looming as part of its restructured operations.
Financial and Legal Implications of the Breach
As part of its response to the breach, 23andMe introduced two-step verification and new passwords for customers, but these measures came after the incident had already escalated. The lawsuit seeks to hold the company accountable for its handling of the breach, aiming to recover civil penalties that could amount to substantial financial repercussions. Additionally, the company has already agreed to a $30 million cash settlement in a separate class-action lawsuit, which underscores the gravity of the situation.
The data breach has sparked broader discussions about the security of genetic information in the digital age. With the sale of 23andMe to a nonprofit organization, there are questions about whether the new ownership will address the vulnerabilities that led to the breach. The TTAM Research Institute, now in charge, will need to navigate these challenges while maintaining public trust in the company’s data protection practices.
Steps to Delete Data Amid Financial Uncertainty
In the wake of the breach, 23andMe has provided guidance for users seeking to delete their data. This process, outlined in a related article, involves navigating the company’s online portal to request the removal of genetic and health information. For those affected by the breach, this step offers a sense of control, though it also highlights the potential long-term consequences of data exposure.
Experts warn that even after data deletion, the breach could have lasting implications. Genetic information, once compromised, can be used for various purposes, including targeted advertising or unauthorized research. The lawsuit may further amplify these concerns, forcing 23andMe to demonstrate improved data security protocols. Additionally, the legal action could set a precedent for how companies are held accountable for data breaches under California law.
Broader Impact on Genetic Data Security
The case has reignited debates about the responsibilities of companies handling genetic data. While 23andMe’s service has been widely used for decades, the 2023 breach serves as a stark reminder of the risks associated with storing large volumes of personal information. The lawsuit not only targets the company’s specific actions but also questions the broader framework of data protection in the genetic testing industry.
As the legal proceedings unfold, stakeholders will be closely monitoring how 23andMe addresses the allegations. The company’s history of financial difficulties, including its bankruptcy, adds context to the lawsuit, suggesting that systemic issues may have contributed to the breach. With its new ownership, 23andMe faces an opportunity to rebuild its reputation, but the outcome of this case could shape the future of data security practices for similar enterprises.
Reactions and Next Steps
ABC News has contacted 23andMe and an attorney representing Chrome Holding Co. to gather comments on the lawsuit. These responses will provide insight into the company’s current stance and its plans to rectify the situation. The legal battle is expected to take time, but it has already prompted a reassessment of data protection measures within the organization.
Industry analysts note that the lawsuit could lead to stricter regulations for companies handling sensitive genetic data. The case may also influence consumer behavior, with users reconsidering their reliance on genetic testing services. As the company moves forward, its ability to address these concerns will be crucial in determining the long-term impact of the breach on both its operations and its customers’ confidence.
The breach has exposed a critical weakness in the company’s cybersecurity infrastructure, which is essential for protecting genetic data. This type of information is not only valuable for personal insights but also for commercial and scientific applications. The lawsuit highlights the need for companies to ensure robust security protocols, especially when dealing with data that can reveal intimate details about an individual’s health and lineage.
While 23andMe has taken steps to enhance its security measures, the allegations of negligence during the breach remain significant. The company’s previous financial struggles, including its bankruptcy, have been cited as factors in its ability to respond swiftly to the incident. As the legal case progresses, it may serve as a benchmark for evaluating corporate accountability in the genetic testing sector. The outcome could also affect how users perceive the safety of their data in an increasingly digital world.
Related News and Context
Other articles in the news have explored the broader implications of 23andMe’s business challenges. For instance, a piece on how users can delete their data during the company’s bankruptcy process highlights the importance of proactive measures in data management. Similarly, a discussion on the potential consequences of the company’s financial troubles for genetic data security provides additional context to the current lawsuit.
These related topics emphasize the interconnected nature of data breaches and corporate restructuring. The bankruptcy process not only affected 23andMe’s operations but also raised questions about the continuity of data protection efforts. As the company transitions under new ownership, the ongoing legal challenges will be a key indicator of its ability to meet regulatory standards and maintain user trust.
Overall, the lawsuit against 23andMe represents a pivotal moment for the company. It underscores the importance of transparency and accountability in handling user data, especially in the context of genetic testing. As the legal case develops, it will serve as a test of how well 23andMe can adapt to the challenges of protecting sensitive information in a rapidly evolving technological landscape.
