AG Bonta’s complaint filed May 28 in San Francisco Superior Court against Chrome Holding Co., formerly 23andMe, doesn’t lead with a generic security failure. It names three specific failures: missed credential-stuffing defenses, an unpatched coding error in the DNA Relatives feature, and a five-month detection gap.
The attack began with 14,000 accounts compromised via credential stuffing. From there, attackers exploited the DNA Relatives coding error to reach nearly 6.9 million total customer profiles. Exposed data included genetic information, health predisposition reports, ancestry and ethnicity profiles, and biological relative matches. Of those affected, 855,541 were Californians.
The second track in the complaint is the cover story. Before the breach, 23andMe told customers its security met high standards. After it surfaced in October 2023, the company blamed users for password reuse and claimed its systems hadn’t been breached. “We are assessing the root cause” is standard crisis language. Claiming no breach occurred while simultaneously negotiating with the attacker is not. The AG’s filing details both tracks separately, which is what distinguishes this from a routine data protection enforcement action.
I read the five statutory counts. The California Genetic Information Privacy Act provisions are the most consequential: they impose obligations on genetic testing companies that general-purpose data protection laws don’t. Penalties of $1,000 to $7,500 per violation, multiplied across 855,541 California victims, could reach billions in theory. Chrome Holding Co.’s bankruptcy complicates collection, and the proposed sale of Californians’ genetic data runs through a separate bankruptcy proceeding.
Worth auditing your own incident communications protocols before you draft the next consumer-facing data notice this quarter.
— Rebecca Lauren