California Sues 23andMe for Failing to Protect User Genetic Data

California Lawsuit Targets 23andMe for 2023 Security Failures

According to SecurityWeek, California Attorney General Rob Bonta has filed a lawsuit against Chrome Holding Co. (formerly 23andMe) regarding a significant data breach discovered in 2023. The legal action alleges that the genetic testing company failed to implement reasonable security measures to protect the personal and biological information of millions of users. This lawsuit follows the company’s rebranding and bankruptcy filing in March, marking a major regulatory response to one of the most sensitive data exposures in recent history.

Analyzing the 2023 Credential Stuffing Attack

The breach, which came to light in late 2023, was primarily executed via a credential stuffing technique. In this scenario, attackers used usernames and passwords stolen from other platforms to gain unauthorized access to 23andMe accounts. While only a small fraction of accounts were directly compromised via these credentials, the “DNA Relatives” feature allowed the threat actors to scrape data from approximately 6.9 million users who had opted into sharing information with potential relatives.

For SOC teams and identity architects, a 23andMe credential stuffing attack analysis reveals a critical failure in detecting anomalous login patterns. Credential stuffing relies on the lack of multi-factor authentication (MFA) and poor rate-limiting on login endpoints. The lawsuit contends that 23andMe did not do enough to notify users of these risks or mandate stronger authentication protocols before the incident occurred. Furthermore, the company initially faced criticism for shifting blame toward the users for reusing passwords, a stance that regulators now challenge as an abdication of corporate security responsibility.

Impact on Genetic Privacy and Data Security

The sensitivity of the stolen data distinguishes this incident from standard retail breaches. The exposed information included ancestry data, family trees, and in some cases, specific genetic markers. This has raised concerns about the long-term implications for insurance eligibility, identity theft, and personal safety. The California AG’s complaint emphasizes that the company’s failure to secure this data constitutes a violation of the California Consumer Privacy Act (CCPA) and the Unfair Competition Law.

Maintaining California Consumer Privacy Act data breach compliance requires organizations to treat biological and genetic data with the highest level of encryption and access control. The legal filing suggests that 23andMe’s security posture did not reflect the high-risk nature of the data it curated, failing to provide the “reasonable security” mandated by state law for such sensitive repositories.

Strategic Mitigations: How to Prevent Credential Stuffing

The 23andMe incident serves as a blueprint for why organizations must modernize their authentication stacks. Security professionals researching how to prevent credential stuffing in healthcare and biotech should prioritize the following technical controls:

• Enforce Phishing-Resistant MFA: Relying on passwords alone is no longer viable. Implementing Phishing-resistant MFA, such as FIDO2-based hardware keys, can stop credential-based attacks even if the password is known.
• Behavioral Biometrics and Rate Limiting: Implement systems that detect automated login attempts by analyzing typing cadence, mouse movements, and IP reputation. Advanced EDR and WAF solutions can often flag these patterns before they result in a bulk breach.
• Adopt a Zero Trust Framework: Transitioning to Zero Trust principles ensures that every access request is verified and authorized, regardless of where the request originates or the user’s previous session state.
• Monitor Dark Web Leaks: Proactively monitoring for leaked credentials allows organizations to force password resets for users whose data has appeared in external breaches before attackers can weaponize it against your infrastructure.

The legal pressure from the California AG signals a shift toward stricter accountability for companies handling biometric data. Organizations must recognize that technical debt in security infrastructure is now a significant legal and financial liability, especially as regulators look beyond the initial attack vector to evaluate the adequacy of defense-in-depth measures.