Arizona Attorney General Pursues Legal Measures Against 23andMe for Data Security Breach: Client Privacy Compromised

by | Jan 12, 2024

Genetic testing firm 23andMe is facing serious accusations of a major data breach that could compromise the personal information of millions of its customers. The breach, which occurred in October, allowed unauthorized hackers to access sensitive data, including personal information of 23andMe clients. Of concern is the fact that the stolen data includes information about individuals with Jewish and Chinese heritage, which was later sold on the dark web. This raises questions about the targeted exploitation of specific racial or ethnic groups and the potential harm that can result.

Arizona Attorney General Kris Mayes wasted no time in demanding answers from 23andMe and expressing deep concerns about the breach and the company’s failure to inform authorities. In a letter, Mayes emphasized the importance of strong data security measures and the need for companies to get explicit consent from consumers before collecting, using, and selling their personal data. Mayes also condemned 23andMe’s actions given the rise in hate crimes, as the breach exposed sensitive information about individuals from specific ethnic backgrounds, potentially facilitating malicious use of this data.

Under Arizona law, companies operating within the state must promptly report data breaches. 23andMe’s failure to comply has not gone unnoticed. Mayes accuses the company of neglecting its legal obligation to report the breach and demands immediate action to fix the situation. Additionally, Mayes questions the adequacy of 23andMe’s cybersecurity measures, criticizing their lack of anticipation and prevention of such attacks. She wants a detailed list of the number of affected Arizonans to understand the scope and impact of the breach on her constituents.

This is not the first time 23andMe has faced scrutiny for its handling of customer data. In 2018, the company faced backlash for selling customer data to third-party pharmaceutical companies without explicit consent. This incident only reinforces the need for stricter regulations and oversight in the collection and use of personal genetic information. It remains unclear if other states have made similar requests for information, but the severity of this breach raises concerns that it may not be an isolated incident. The sale of stolen data on the dark web further emphasizes the need for strong cybersecurity measures to protect customers’ sensitive information.

Though 23andMe concluded its internal investigation on December 1, no specific timeline has been provided for the company to respond to Mayes’ letter. The attorney general’s office is committed to holding 23andMe accountable for the alleged violation of state law.

In a time where personal data breaches are becoming more common, it is important for companies to prioritize the privacy and security of their customers. The incident involving 23andMe serves as a reminder of the risks associated with sharing personal information, particularly genetic data.

As the investigation into 23andMe’s alleged data breach unfolds, consumers must remain vigilant and proactive in protecting their personal information. By staying informed and taking necessary precautions, individuals can reduce the risks associated with the growing threat of data breaches.

In the aftermath of this alarming breach, both authorities and consumers must demand more transparency, accountability, and protection when it comes to handling personal data. Only through collective action can we ensure that companies prioritize data security and respect individuals’ privacy rights.