### California Takes Action Against 23andMe California Attorney General **Rob Bonta** has initiated legal action against **23andMe**, now operating as **Chrome Holding Co.**, citing the company's failure to adequately protect customer data, leading to a significant breach in 2023. The breach compromised the sensitive information of approximately 7 million users, including 855,541 residents of California. ### Breach Details and Impact The incident came to light in October 2023 when threat actors began offering stolen **23andMe** records for sale and leaked data samples to verify the authenticity of the stolen information. The company confirmed the breach, attributing it to a credential-stuffing attack that exploited accounts with weak passwords. Attackers initially targeted users of the 'DNA Relatives' feature before gaining access to a broader range of accounts. In total, the breach exposed the genetic data, health predispositions, ancestry details, biological relatives, and DNA matches of approximately 6.9 million users. ### Allegations of Negligence and Misleading Statements The lawsuit alleges that **23andMe** failed to implement reasonable security measures to prevent credential-stuffing attacks and missed opportunities to detect the intrusion. It also claims the company failed to identify a coding error in the 'DNA Relatives' feature that contributed to the widespread data exposure. Furthermore, the Attorney General accuses **23andMe** of making misleading statements regarding its security standards before the breach and downplaying the severity of the incident afterward. The company initially suggested that the exposed data was largely public and blamed users for password reuse, denying any breach of its own systems. ### Legal Violations and Potential Penalties The Attorney General argues that **23andMe**'s actions violated several California laws, including the California Genetic Information Privacy Act, the California Reasonable Data Security Law, the California Consumer Privacy Act (**CCPA**), the False Advertising Law, and the Unfair Competition Law. The lawsuit seeks an injunction to prevent further violations and statutory penalties ranging from $1,000 to $7,500 per violation. ### Bankruptcy and Ongoing Investigations This lawsuit follows previous legal challenges and investigations, including multi-million-dollar fines that contributed to **23andMe** filing for bankruptcy. The Attorney General's office has clarified that the bankruptcy proceedings and the proposed sale of Californians' genetic data are separate from this legal action.