“23andMe’s security measures were so lax that the threat actor was able to operate undetected within 23andMe’s systems for over five months, and remarkably, 23andMe only began investigating after the threat actor offered the stolen user data for sale on the dark web and reached out to 23andMe to demand a ransom,” prosecutors said in the complaint.In October 2023, the stolen data appeared for sale on the dark web, with the poster specifically touting that about 1.1 million consumers’ data belonged to Asian-Pacific Islander and Ashkenazi Jewish users.“The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence,” Bonta said in a press release. “This is disturbing and incredibly dangerous.”Some of the data stolen included raw genetic data, health reports, DNA shared with other relatives, and locations and birth years of relatives.The lawsuit says that after notifying the public about the breach, 23andMe continued to mislead consumers about the severity of the breach and the company’s role in it.The company has said it only found out about the breach in October 2023 when the stolen data was posted for sale on the dark web. However, the lawsuit said the company failed to properly investigate red flags that appeared months earlier, such as a “suspicious spike in user login attempts” in July and a Reddit post discussing a possible breach and sale of user data in August.Genetic data requires “one of the highest levels of protection” and California law “mandates a heightened legal obligation” to protect it, the lawsuit said.Bonta also intervened to ensure customers’ genetic data wouldn’t be mishandled during 23andMe’s Chapter 11 bankruptcy and asset sale, arguing that California’s Genetic Information Privacy Act required companies to obtain opt-in consent from customers before selling their genetic information to third parties. However, the sale was allowed to proceed.In 2024, 23andMe agreed to pay a $30 million settlement in a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed in the breach. The amount was raised to $50 million to resolve most U.S. customer claims and received final approval in January by a federal judge overseeing 23andMe’s bankruptcy.Related:Website Security Breach Exposes 1 Million DNA Profiles
In October 2023, the stolen data appeared for sale on the dark web, with the poster specifically touting that about 1.1 million consumers’ data belonged to Asian-Pacific Islander and Ashkenazi Jewish users.“The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence,” Bonta said in a press release. “This is disturbing and incredibly dangerous.”Some of the data stolen included raw genetic data, health reports, DNA shared with other relatives, and locations and birth years of relatives.The lawsuit says that after notifying the public about the breach, 23andMe continued to mislead consumers about the severity of the breach and the company’s role in it.The company has said it only found out about the breach in October 2023 when the stolen data was posted for sale on the dark web. However, the lawsuit said the company failed to properly investigate red flags that appeared months earlier, such as a “suspicious spike in user login attempts” in July and a Reddit post discussing a possible breach and sale of user data in August.Genetic data requires “one of the highest levels of protection” and California law “mandates a heightened legal obligation” to protect it, the lawsuit said.Bonta also intervened to ensure customers’ genetic data wouldn’t be mishandled during 23andMe’s Chapter 11 bankruptcy and asset sale, arguing that California’s Genetic Information Privacy Act required companies to obtain opt-in consent from customers before selling their genetic information to third parties. However, the sale was allowed to proceed.In 2024, 23andMe agreed to pay a $30 million settlement in a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed in the breach. The amount was raised to $50 million to resolve most U.S. customer claims and received final approval in January by a federal judge overseeing 23andMe’s bankruptcy.Related:Website Security Breach Exposes 1 Million DNA Profiles
“The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence,” Bonta said in a press release. “This is disturbing and incredibly dangerous.”Some of the data stolen included raw genetic data, health reports, DNA shared with other relatives, and locations and birth years of relatives.The lawsuit says that after notifying the public about the breach, 23andMe continued to mislead consumers about the severity of the breach and the company’s role in it.The company has said it only found out about the breach in October 2023 when the stolen data was posted for sale on the dark web. However, the lawsuit said the company failed to properly investigate red flags that appeared months earlier, such as a “suspicious spike in user login attempts” in July and a Reddit post discussing a possible breach and sale of user data in August.Genetic data requires “one of the highest levels of protection” and California law “mandates a heightened legal obligation” to protect it, the lawsuit said.Bonta also intervened to ensure customers’ genetic data wouldn’t be mishandled during 23andMe’s Chapter 11 bankruptcy and asset sale, arguing that California’s Genetic Information Privacy Act required companies to obtain opt-in consent from customers before selling their genetic information to third parties. However, the sale was allowed to proceed.In 2024, 23andMe agreed to pay a $30 million settlement in a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed in the breach. The amount was raised to $50 million to resolve most U.S. customer claims and received final approval in January by a federal judge overseeing 23andMe’s bankruptcy.Related:Website Security Breach Exposes 1 Million DNA Profiles
Some of the data stolen included raw genetic data, health reports, DNA shared with other relatives, and locations and birth years of relatives.The lawsuit says that after notifying the public about the breach, 23andMe continued to mislead consumers about the severity of the breach and the company’s role in it.The company has said it only found out about the breach in October 2023 when the stolen data was posted for sale on the dark web. However, the lawsuit said the company failed to properly investigate red flags that appeared months earlier, such as a “suspicious spike in user login attempts” in July and a Reddit post discussing a possible breach and sale of user data in August.Genetic data requires “one of the highest levels of protection” and California law “mandates a heightened legal obligation” to protect it, the lawsuit said.Bonta also intervened to ensure customers’ genetic data wouldn’t be mishandled during 23andMe’s Chapter 11 bankruptcy and asset sale, arguing that California’s Genetic Information Privacy Act required companies to obtain opt-in consent from customers before selling their genetic information to third parties. However, the sale was allowed to proceed.In 2024, 23andMe agreed to pay a $30 million settlement in a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed in the breach. The amount was raised to $50 million to resolve most U.S. customer claims and received final approval in January by a federal judge overseeing 23andMe’s bankruptcy.Related:Website Security Breach Exposes 1 Million DNA Profiles
The lawsuit says that after notifying the public about the breach, 23andMe continued to mislead consumers about the severity of the breach and the company’s role in it.The company has said it only found out about the breach in October 2023 when the stolen data was posted for sale on the dark web. However, the lawsuit said the company failed to properly investigate red flags that appeared months earlier, such as a “suspicious spike in user login attempts” in July and a Reddit post discussing a possible breach and sale of user data in August.Genetic data requires “one of the highest levels of protection” and California law “mandates a heightened legal obligation” to protect it, the lawsuit said.Bonta also intervened to ensure customers’ genetic data wouldn’t be mishandled during 23andMe’s Chapter 11 bankruptcy and asset sale, arguing that California’s Genetic Information Privacy Act required companies to obtain opt-in consent from customers before selling their genetic information to third parties. However, the sale was allowed to proceed.In 2024, 23andMe agreed to pay a $30 million settlement in a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed in the breach. The amount was raised to $50 million to resolve most U.S. customer claims and received final approval in January by a federal judge overseeing 23andMe’s bankruptcy.Related:Website Security Breach Exposes 1 Million DNA Profiles
The company has said it only found out about the breach in October 2023 when the stolen data was posted for sale on the dark web. However, the lawsuit said the company failed to properly investigate red flags that appeared months earlier, such as a “suspicious spike in user login attempts” in July and a Reddit post discussing a possible breach and sale of user data in August.Genetic data requires “one of the highest levels of protection” and California law “mandates a heightened legal obligation” to protect it, the lawsuit said.Bonta also intervened to ensure customers’ genetic data wouldn’t be mishandled during 23andMe’s Chapter 11 bankruptcy and asset sale, arguing that California’s Genetic Information Privacy Act required companies to obtain opt-in consent from customers before selling their genetic information to third parties. However, the sale was allowed to proceed.In 2024, 23andMe agreed to pay a $30 million settlement in a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed in the breach. The amount was raised to $50 million to resolve most U.S. customer claims and received final approval in January by a federal judge overseeing 23andMe’s bankruptcy.Related:Website Security Breach Exposes 1 Million DNA Profiles
Genetic data requires “one of the highest levels of protection” and California law “mandates a heightened legal obligation” to protect it, the lawsuit said.Bonta also intervened to ensure customers’ genetic data wouldn’t be mishandled during 23andMe’s Chapter 11 bankruptcy and asset sale, arguing that California’s Genetic Information Privacy Act required companies to obtain opt-in consent from customers before selling their genetic information to third parties. However, the sale was allowed to proceed.In 2024, 23andMe agreed to pay a $30 million settlement in a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed in the breach. The amount was raised to $50 million to resolve most U.S. customer claims and received final approval in January by a federal judge overseeing 23andMe’s bankruptcy.Related:Website Security Breach Exposes 1 Million DNA Profiles
Bonta also intervened to ensure customers’ genetic data wouldn’t be mishandled during 23andMe’s Chapter 11 bankruptcy and asset sale, arguing that California’s Genetic Information Privacy Act required companies to obtain opt-in consent from customers before selling their genetic information to third parties. However, the sale was allowed to proceed.In 2024, 23andMe agreed to pay a $30 million settlement in a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed in the breach. The amount was raised to $50 million to resolve most U.S. customer claims and received final approval in January by a federal judge overseeing 23andMe’s bankruptcy.Related:Website Security Breach Exposes 1 Million DNA Profiles
In 2024, 23andMe agreed to pay a $30 million settlement in a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed in the breach. The amount was raised to $50 million to resolve most U.S. customer claims and received final approval in January by a federal judge overseeing 23andMe’s bankruptcy.Related:Website Security Breach Exposes 1 Million DNA Profiles
Related:Website Security Breach Exposes 1 Million DNA Profiles
Source: SecurityWeek
