23andMe inherits lawsuit over 'disturbing' DNA data breach

Legal

California AG claims genetics biz downplayed 2023 mega-leak while paying ransom to attacker

The office of Rob Bonta, California's attorney general, is suing 23andMe for the data protection failings that led to the genetics company's disastrous 2023 breach.

Bonta and his team claim [PDF] that 23andMe failed to implement adequate security controls for the sensitive records it stored, and misled customers about the nature of the mishap after the fact.

"23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach," said Bonta on Thursday. "Our investigation found that the company failed to take basic steps to protect users' data – data including the sensitive personal information, family histories, and health conditions of consumers

"The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence – and explicitly called attention to the deeply personal and identifying nature of that information. This is disturbing and incredibly dangerous. Today, my office is suing 23andMe for its categorical failure to comply with California law."

The lawsuit was filed against Chrome Holding Co., formerly known as 23andMe. TTAM Research Institute bought 23andMe's assets last year. TTAM Research Institute was founded and is led by Anne Wojcicki, who was also 23andMe's CEO at the time of the breach and one of the company's co-founders.

The nonprofit's purchase of 23andMe assets was completed on July 14, 2025, at which time it promised to run 23andMe charitably, using its data to further medical research and education.

23andMe continues to operate as it always did, taking customers' saliva samples and turning it into fun insights, such as what percentage of their makeup is Neanderthal, and whether their DNA makes them more or less likely to enjoy a scattering of cilantro on their food.

'Disturbing'

Announcing the lawsuit, Bonta's office used "disturbing" no less than three times to describe the events that transpired before and after 23andMe's mega breach. To recap, a cybercriminal going by the name Golem popped up on a forum in 2023 claiming to offer a slew of data belonging to millions of 23andMe customers.

Investigations carried out by regulators later found that Golem only breached around 14,000 accounts, but because of 23andMe's DNA relatives feature, which allows users to connect with other 23andMe users who share a percentage of the same DNA, the crook was able to access the details of nearly 7 million customers.

It also soon emerged that 23andMe failed to spot the intrusion for five months, and the 14,000 or so accounts Golem accessed were compromised as a result of credential-stuffing attacks.

What followed was a multi-faceted game of finger-pointing. 23andMe's decision to blame customers for recycling credentials instead of admitting it should have mandated 2/MFA on all accounts by default went down about as badly as one might expect.

To this day, 23andMe allows customers to use its service without 2/MFA, although it issues regular prompts to those who don't have it set up.

Regulators, on the other hand, highlighted that the company's security practices were less than perfect, while security experts were divided. Many agreed there was blame to be placed on both sides.

Then came the fines and the settlements.

The UK's Information Commissioner hit the company with a £2.3 million ($3.09 million) fine in June 2025, three months after the bankruptcy filing.

In its ruling, it echoed the findings of US authorities from 2023, accusing the company of relying on inadequate password requirements.

The Information Commissioner rebuked 23andMe for failing to detect the intrusion promptly and not implementing measures to prevent bulk downloading of genetic data.

23andMe also settled a class action lawsuit for $30 million in 2024.

Bonta's office alleged that 23andMe’s statements to customers were "misleading and omitted or misrepresented critical information."

"While 23andMe assured the public that it had not experienced a data security incident within its systems, downplayed the sensitivity of the stolen data by claiming that the information stolen from the 'DNA Relatives' feature was essentially public, and attempted to shift blame for the breach to its customers, 23andMe was simultaneously negotiating and paying a ransom to the threat actor in exchange for, among other things, the threat actor removing damaging information regarding the breach that had been posted online and providing information about multiple 23andMe security vulnerabilities, including vulnerabilities the threat actor exploited during the data breach."

The Register contacted 23andMe's publicists for a response. We only received one on behalf of the 23andMe Research Institute, which despite managing requests directed to the 23andMe platform's only press contact address, distanced itself from Chrome Holding, which, like TTAM Research Institute, does not have a public-facing contact.

It also did not help us contact 23andMe's operator.

The institute said: "The 23andMe Research Institute is a newly established independent nonprofit organization and is not involved in the matters described in the California Attorney General's complaint filed against Chrome Holding Co., formerly known as 23andMe. The lawsuit pertains to events and operations associated with the former commercial entity prior to the creation of the 23andMe Research Institute. The institute was not involved in the complaint and has no role in the underlying litigation.

"The 23andMe Research Institute is focused on advancing nonprofit scientific and health research with a strong commitment to privacy, ethics, transparency, and responsible data stewardship." ®