23andMe Sued by California Over Massive 2023 Data Breach

A single alleged failure to act on security warnings may now cost 23andMe millions—and the trust of every customer who shared their DNA. California Attorney General Rob Bonta has sued the genetic-testing company over a 2023 data breach that exposed the sensitive genetic and personal information of nearly 7 million users. The lawsuit, filed in San Francisco Superior Court, accuses 23andMe of maintaining "lax" security measures and failing to adequately investigate multiple warnings that its systems had been compromised. Bonta’s office alleges the company violated California’s Consumer Privacy Act and Unfair Competition Law, and is seeking civil penalties that could reach $2,500 per violation—potentially billions of dollars given the scale of the breach. The 23andMe data breach lawsuit represents one of the most aggressive state actions against a genetic-data company, raising urgent questions about the safety of consumer genomic data. Since the breach came to light in October 2023, 23andMe has faced class-action lawsuits, a federal investigation, and a steep drop in its stock price. The company disclosed that attackers used credential-stuffing techniques to log into accounts, then scraped data from the "DNA Relatives" feature, which matches users based on shared ancestry. The stolen data included names, birth years, geographic locations, and detailed genetic-relationship estimates. A whistleblower reportedly alerted the company to suspicious login patterns months before the breach, but no action was taken. "This is about protecting the most intimate data a person can have—their own genetic code," Bonta said in a statement. "23andMe’s security failures left millions of Californians exposed, and we are holding them accountable." The 23andMe data breach lawsuit also underscores a broader regulatory push: the California Privacy Protection Agency has proposed new rules specifically governing the collection and retention of genetic data. Legal experts say the case could set a precedent for how states enforce data security in the health-tech sector. "What happens with 23andMe will ripple across the entire industry," said privacy law professor Anjali Patel of UC Berkeley. "Genetic data is permanent and uniquely identifying. If companies don't lock it down, regulators will do it for them." Looking ahead, 23andMe faces a potential cash crunch. The company warned in a securities filing that it might not have enough funds to continue operations. A trial or settlement is months away, but the legal momentum—combined with declining revenue and user trust—makes the outlook precarious. The big question for consumers: If 23andMe goes under, what happens to the genetic data of millions of customers? The company has said it would seek a bankruptcy sale, but California’s lawsuit may demand that data be destroyed first.