California Attorney General Takes Action Against Chrome Holding Over Data Breach

California Attorney General Rob Bonta is gearing up for a legal battle against DNA testing company Chrome Holding. This comes after a thorough investigation revealed that its predecessor, 23andMe, dropped the ball on protecting sensitive customer information. The fallout? A massive data breach in 2023 that put the genetic predispositions and risk factors of nearly seven million users at risk, not to mention their biological relatives, ancestry, and ethnicity details. Bonta didn’t mince words, stating, “Our investigation found that the company failed to take basic steps to protect users’ data.” He added that 23andMe “lied to consumers about the severity of its 2023 data breach.”

Now, here’s the kicker: the data breach didn’t just stop at exposing personal information. It reportedly led to the sale of user data on the dark web, with hackers specifically targeting Asian American Pacific Islanders (AAPI) and Jewish users’ information. “This is disturbing and incredibly dangerous,” Bonta expressed, especially considering the rising tide of “anti-Asian American and Pacific Islander and antisemitic hate and violence.” Users were hit by a “credential stuffing” attack, where hackers used leaked passwords from previous breaches to sneak into 23andMe accounts, exploiting those who had reused similar credentials.

This is a big deal, folks. The 2023 breach has drawn international attention and scrutiny. Just last year, 23andMe faced a hefty £2.31 million fine from the Information Commissioner’s Office (ICO) in the UK. They alleged that the company had failed to implement adequate measures to secure sensitive user data before the incident occurred. The ICO also reported that personal data of over 155,000 UK residents was accessed during the breach. In response to the scandal, the company claimed to have made “several binding commitments to enhance protections for customer data and privacy.” Under UK law, genetic data is classified as a special category requiring extra safeguards due to its sensitive nature.

The investigation by ICO was not done in isolation; it was coordinated with Canada’s privacy commissioner, revealing that 23andMe violated UK law by lacking appropriate authentication and verification measures during the login process. And if that wasn’t enough, 23andMe had already been under the spotlight last year when users reported having issues deleting their accounts after the company filed for Chapter 11 bankruptcy protection, aiming to sell itself through a court-supervised process. You can imagine the fears floating around: what if insurance companies get their hands on this data and start making decisions about coverage based on genetic information?

Let’s not forget that 23andMe was co-founded by Anne Wojcicki, who’s no stranger to the spotlight as the sister of the late YouTube CEO Susan Wojcicki and ex-wife of Google co-founder Sergey Brin. Once, they had a star-studded clientele, including the likes of Snoop Dogg, Oprah Winfrey, and Eva Longoria, and their stock price soared above $300 at its peak before crashing in 2024. This whole situation raises a lot of questions… What’s next for users? Will this lawsuit bring about real changes in how companies handle sensitive genetic data?

Kaynak: Orijinal Haber