California Sues 23andMe Over Security Failures
TL;DR: California's Attorney General is suing the company that now holds 23andMe's assets. The lawsuit, filed on May 27, 2026, alleges significant security failures and misleading statements related to the major 2023 data breach that exposed sensitive genetic information of millions of users.
Key facts
- Category
- Cybersecurity
- Impact
- High
- Published
- Source
- Malwarebytes Labs
Full summary
California is suing the company holding 23andMe's assets over its massive 2023 data breach, alleging major security failures and misleading statements.
California's Attorney General has filed a lawsuit against Chrome Holding Co., the successor to the DNA testing company 23andMe, following its bankruptcy. The suit, filed in San Francisco Superior Court on May 27, 2026, addresses the major data breach that occurred in 2023. The state's complaint accuses the company of significant security failures that led to the exposure of sensitive genetic information belonging to millions of users. Furthermore, the lawsuit alleges that the company made misleading statements about the incident, failing to provide a clear and accurate account of the breach's scope and impact.
This legal action serves as a critical reminder for tech leaders about the long-term consequences of security vulnerabilities. The case highlights how regulatory bodies are holding companies accountable for protecting sensitive user data, with legal and financial repercussions extending even after major corporate changes like bankruptcy. For security teams and CTOs, the lawsuit underscores the importance of defending against common attack vectors like credential stuffing and implementing robust monitoring systems. The outcome could set a precedent for corporate liability in breaches involving highly personal information, such as genetic data.
Why it matters
This lawsuit is a significant case study for tech companies on the long-term legal ramifications of data breaches. It highlights the growing regulatory scrutiny on how companies handle sensitive user data and communicate security failures, particularly from state attorneys general.
Business impact
The legal action against 23andMe's successor, even after bankruptcy, underscores that financial and reputational liability from security incidents can persist for years. For founders and CTOs, it reinforces the need for proactive security investment to avoid severe, long-tail legal risks and brand damage.
Tags
Related on Notifire
Primary source: Malwarebytes Labs