23andMe's New Owners Inherit a Lawsuit Alleging the Company Paid Ransom and Hid the Scale of Its 2023 DNA Breach

California Attorney General Rob Bonta is suing over what he calls a deliberate effort to downplay a mega-leak of genetic data — and the legal liability has followed the company through bankruptcy.

Written by Lena Armitage · Bureau Tech · Jun 1, 2026

The Surprising Part: They Allegedly Paid the Ransom Anyway

When a company pays a ransom to a data thief, it is usually trying to prevent disclosure. According to California Attorney General Rob Bonta's lawsuit against 23andMe's new owners, the genetics company did both: it paid the attacker *and* the breach became one of the largest exposures of genetic data on record. If the allegation holds, it raises an uncomfortable question — what exactly did the ransom buy?

Bonta filed the suit in connection with a 2023 breach that compromised the DNA-linked personal data of millions of 23andMe customers. The AG's office has characterized the leak as 'disturbing,' a word that carries specific weight when the data in question is genetic.

Why Genetic Data Is Different

Genetic information (the biological data encoded in DNA that can reveal ancestry, disease risk, and family relationships) occupies a distinct legal and ethical category from, say, a leaked email address. You can change a password. You cannot change your genome. Crucially, a breach of one person's genetic data also exposes information about their biological relatives — people who may never have interacted with 23andMe at all.

California has some of the strongest consumer data protections in the United States, and the AG's office has been aggressive in pursuing companies that it believes mishandled sensitive information. The decision to sue over a breach that predates the current ownership structure signals that Bonta's office views the liability as attached to the data and the conduct, not merely to a corporate entity that no longer exists in its original form.

Bankruptcy Didn't Wash the Liability Away

23andMe filed for bankruptcy in 2025 after years of financial difficulty. Bankruptcy can discharge many obligations, but it does not automatically extinguish regulatory enforcement actions or state AG suits — particularly those alleging consumer protection violations. The lawsuit has followed the company's assets to their new owners.

The identity of those new owners and the terms of the acquisition have not been detailed in the available source material for this article. What is clear is that whoever bought 23andMe's assets bought this lawsuit along with them.

What the Suit Alleges

The core allegations, as reported by The Register, are two-fold. First, that 23andMe downplayed the 2023 breach — understating its severity to customers, regulators, or both. Second, that the company paid a ransom to the attacker. The combination matters legally: paying a ransom while minimizing public disclosure could be read as evidence that company leadership understood the breach was serious, which would undercut any defense based on good-faith uncertainty about the scope of the incident.

It is worth being precise about what is not yet established: these are allegations in a lawsuit, not findings of fact. The new owners have not, in the available reporting, responded publicly to the suit. The full evidentiary record has not been tested in court.

What Comes Next

The case is likely to be closely watched by privacy lawyers and by companies that acquire data-heavy businesses through distressed sales. If California prevails, it would reinforce the principle that buying a bankrupt company's customer database means buying its legal exposure too — a consideration that could reshape how acquirers price and structure deals involving sensitive personal data.

For 23andMe customers, the more immediate question is what, if anything, they are owed. Class action suits related to the 2023 breach have been reported separately. The AG action is a parallel track, focused on the company's conduct rather than individual customer remedies — though the two proceedings could inform each other as they develop.

Key takeaways

California AG Rob Bonta filed suit against 23andMe's new owners over a 2023 breach described as 'disturbing' in scope.
The lawsuit alleges 23andMe actively downplayed the mega-leak while simultaneously paying a ransom to the attacker — a combination that, if proven, would suggest the company knew the breach was serious.
The legal claim survived 23andMe's bankruptcy proceedings, meaning the acquiring entity inherits the liability.
The case centers on genetic data — among the most sensitive categories of personal information, since it cannot be changed and implicates biological relatives who never consented to share their data.
The outcome could set a precedent for how acquirers of bankrupt data-rich companies are held responsible for pre-acquisition security failures.

FAQ

What happened in the 2023 23andMe data breach?

In 2023, 23andMe suffered a large-scale breach that exposed the genetic and personal data of millions of customers. The California AG's lawsuit describes it as a 'mega-leak' and alleges the company downplayed its severity while paying a ransom to the attacker. The full scope of what was accessed has been disputed.

Who is being sued?

The suit was filed by California AG Rob Bonta against 23andMe's new owners — the entity or entities that acquired the company's assets after it filed for bankruptcy. The liability for the 2023 breach and the alleged conduct surrounding it has transferred to the acquiring party.

Why does genetic data get special treatment under the law?

Genetic data is considered especially sensitive because it is immutable — you cannot change your DNA the way you can change a password — and because it reveals information about biological relatives who may never have consented to share their data. California law treats it as a high-risk category of personal information.

Does paying a ransom mean the breach was covered up?

Not necessarily, and that question is at the heart of the lawsuit. The AG's theory appears to be that paying a ransom while simultaneously downplaying the breach publicly is evidence the company knew the incident was serious. Whether that inference holds up in court depends on facts not yet fully in the public record.

Can a company shed legal liability for data breaches by going bankrupt?

Generally, no — not for state regulatory enforcement actions. Bankruptcy can discharge certain debts and civil claims, but state AG suits alleging consumer protection violations typically survive the process and attach to whoever acquires the relevant assets. This case is a live example of that principle.

Citations

23andMe inherits lawsuit over 'disturbing' DNA data breachCalifornia AG Rob Bonta sued 23andMe's new owners over the 2023 breach, alleging the company downplayed the leak while paying a ransom to the attacker.
The Register — Technology News HeadlinesBureau research source used to surface and verify the lead story.
California Consumer Privacy Act (CCPA) — State of California Department of JusticeCalifornia maintains some of the strongest consumer data protection laws in the United States, enforced by the Attorney General's office.