Connecticut Attorney General Willam Tong issued a letter yesterday to Jacquie Cooke, General Counsel and Privacy Officer for 23andMe Inc., in relation to a data breach that exposed the personal data of people with Ashkenazi Jewish and Chinese ancestry.
"More specifically, we understand that the 23andMe breach has resulted in the targeted exfiltration and sale on the black market of at least one million data profiles pertaining to individuals with Ashkenazi Jewish heritage. Reports indicate that a subsequent leak has revealed the data of hundreds of thousands of individuals with Chinese ancestry, also for sale on the dark web as a result of this hack. The increased frequency of antisemitic and anti-Asian rhetoric and violence in recent years means that this may be a particularly dangerous time for such targeted information to be released to the public," wrote AG Tong.
23andMe has not yet submitted a breach notification pursuant to Connecticut’s breach notification statute, Conn. Gen. Stat. § 36a-701b. The law requires that notice be provided to the Attorney General's Office and to any impacted Connecticut residents “without unreasonable delay” and not later than sixty (60) days after discovery of the breach.
The data breach also calls into question 23andMe’s compliance with the Connecticut Data Privacy
Act (“CTDPA”), Conn. Gen. Stat. § 42-515 et seq, and raises questions about the processes used by the company to obtain consent, as well as the measures taken to protect confidential personal information.
Answers to 14 questions have been requested to get a better sense of the size and scope of the data breach as it relates to Connecticut residents, whether the personal information of Connecticut residents is available on the dark web, what safeguards were put into place regarding data privacy and security after the breach, copies of audit reports regarding the breach and more.
AT Tong has asked that 23andMe provide the requested information no later than November 13, 2023.