California Attorney General sues 23andMe successor for 2023 data breach

California Attorney General Rob Bonta filed suit against Ancestry.com, owner of genetic testing company 23andMe, over a 2023 data breach that exposed personal information of millions of users. Bonta alleges the company misrepresented the breach's severity and failed to notify customers with adequate urgency.

The lawsuit centers on 23andMe's handling of unauthorized access to user accounts. Hackers obtained genetic data, names, birth dates, and ancestry information belonging to roughly 6.9 million users. The company disclosed the breach publicly months after discovering the initial intrusion, drawing sharp criticism from regulators and privacy advocates.

Bonta's complaint accuses 23andMe of deceptive practices under California's consumer protection statutes. The state argues the company minimized the breach's scope when communicating with customers and regulators. Internal documents allegedly show leadership knew the breach was widespread but downplayed its impact in public statements.

The timing matters. Ancestry acquired 23andMe's consumer genetics business in 2021, though the brands operate separately. The company faced mounting pressure from state attorneys general and privacy organizations over data handling practices. This lawsuit represents the most aggressive enforcement action against the company since the breach occurred.

The case underscores persistent tensions in the consumer genetics industry. Companies in this space collect and store some of the most sensitive personal data available. Regulatory agencies nationwide have stepped up scrutiny of security protocols and breach disclosure timelines. California's action signals states will pursue aggressive penalties against firms that handle genetic data recklessly or mislead the public about risks.

Ancestry and 23andMe did not immediately respond to requests for comment.