Key developments
California sues 23andMe over genetic breach
California Attorney General Rob Bonta filed a complaint Thursday in San Francisco Superior Court against Chrome Holding Co., the company formerly known as 23andMe, over a 2023 breach of genetic and other sensitive personal data. The complaint says hackers scraped information tied to nearly 7 million people through the DNA Relatives feature, including about 855,000 Californians, after the breach began in April 2023 and ran for about five months. Bonta alleges the company ignored warnings and downplayed the incident and is seeking civil penalties under state privacy and consumer-protection laws.
Why it matters
It escalates scrutiny of how highly sensitive genetic data is protected and transferred, including during bankruptcy proceedings.
Sources & driving stories
WTVB · Jonathan Stempel
WTVB coverageCBS NEWS SAN FRANCISCO · Carlos E. Castañeda
CBS News San Francisco coverageCarnival confirms breach affecting 5.99 million customers
Carnival Corporation confirmed a data breach affecting 5,995,277 customers after attackers gained access through social engineering that tricked an employee into sharing credentials. The company said unauthorized activity was detected on April 14, personal data was confirmed copied by April 22, and customer notifications began on May 27. Exposed information included names, email addresses, dates of birth, genders, geographic locations, and loyalty-program details, and U.S. customers are being offered two years of TransUnion credit monitoring.
Why it matters
The scale and sensitivity of the exposed data create immediate phishing and identity-fraud risk for millions of travelers.
Sources & driving stories
SAFESTATE
Safestate coverageFIFA World Cup ticket scam network exposed
Group-IB says a Chinese-speaking fraud operation it calls GHOST STADIUM has built a near pixel-perfect clone of FIFA’s ticket site across more than 300 active domains. The campaign, first observed in November 2025 and investigated from March through May 2026, has used Facebook ads and more than 4,300 impersonation domains registered since August 2025 to harvest credentials and payment details. Group-IB estimated premium-ticket fraud losses alone at $71 million to $474 million and said total losses across the operation could reach into the billions.
Why it matters
It shows a large, organized credential-theft and payment-fraud infrastructure is already in place ahead of peak World Cup demand.
Sources & driving stories
THE RECORD · Alexander Martin
The Record coverageWorth noting
WORTH NOTING
Circle K breach settlement opens claims
Affected U.S. residents can seek up to $2,000 in documented losses or a $50 cash payment, plus two years of credit monitoring, after the May 2024 incident.
WORTH NOTING
A-Line breach negligence suit dismissed
A federal judge said workers failed to show a concrete causal link between the 2024 breach and alleged fraud or misuse, tightening the negligence standard.
WORTH NOTING
LoneStar Truck Group exposes SSNs
The newly disclosed breach affects 1,725 Texas residents and includes names, addresses, and Social Security numbers.
Still unclear
OPEN QUESTION
Will California’s 23andMe suit affect the bankruptcy data-transfer fight?
The case could shape how courts handle the transfer and sale of highly sensitive genetic data in insolvency proceedings.
OPEN QUESTION
How much of GHOST STADIUM will activate before kickoff?
Most of the fraud network is dormant, so the scale of the campaign could expand sharply as World Cup demand rises.