Press Releases
10/31/2023
Attorney General Tong Issues Inquiry Letter to 23andMe Following Data Breach Targeting Users with Jewish and Chinese Heritage
(Hartford, CT) – Attorney General William Tong issued an inquiry letter to genetic testing and ancestry company 23andMe, Inc. seeking details of a data breach that reportedly exposed sensitive records for over five million users, including specifically those of Ashkenazi Jewish and Chinese heritage.Earlier this month, 23andMe issued a press release disclosing that customer profile information shared through the company’s DNA Relatives feature had been accessed without authorization, exposing names, sex, date of birth, geographical location, and genetic ancestry results. The threat actor has posted sample data indicating the attack was targeted at account holders with Ashkenazi Jewish and Chinese heritage.
“I understand that the 23andMe breach resulted in the targeted exfiltration and sale on the black market of at least one million data profiles pertaining to individuals with Ashkenazi Jewish heritage. According to reports, a second leak revealed the data of hundreds of thousands of individuals with Chinese ancestry, also for sale on the dark web. Finally, most recent reports point to a third leak of information from 23andMe’s “DNA Relatives” feature containing the genetic ancestry information of an estimated four million individuals. I also understand from those reports that the threat actor claims to possess more than 300 terabytes of 23andMe data,” said Attorney General Tong in the letter. “The increased frequency of antisemitic and anti-Asian rhetoric and violence in recent years means that this may be a particularly dangerous time for such targeted genetic information to be released to the public.”
To date, 23andMe has not submitted a data breach notification to the Office of the Attorney General. Connecticut’s data breach notification law requires that notice be provided no later than 60 days following a security breach compromising the personal information of a Connecticut resident. Reports indicate that the breach may have been the resident of a “credential stuffing” attack. Connecticut’s breach notification statute expressly includes email address and password information.
Attorney General Tong’s letter also notes that the breach calls into question the company’s compliance with the Connecticut Data Privacy Act, which provides Connecticut consumers with important rights over their personal data and imposes corresponding privacy and data security obligations on companies that maintain and process personal data.
“23andMe is in the business of collecting and analyzing the most sensitive and irreplaceable information about individuals, their genetic code. This incident raises questions about the processes used by 23andMe to obtain consent from users, as well as the measures taken by 23andMe to protect the confidentiality of sensitive personal information,” Attorney General Tong states in the letter.
- Twitter: @AGWilliamTong
- Facebook: CT Attorney General
Media Contact:
Elizabeth Benton
elizabeth.benton@ct.gov
Consumer Inquiries:
860-808-5318
attorney.general@ct.gov