Key developments
California AG sues 23andMe over genetic breach
California Attorney General Rob Bonta filed suit against Chrome Holding Co., formerly 23andMe, over its 2023 breach affecting about 855,000 California residents. Tech Jacks Solutions reported the attack began with credential stuffing against the DNA Relatives feature, which enabled mass scraping of linked user profiles. The complaint alleges the company failed to use basic security controls and properly notify affected users.
Why it matters
It raises the odds of tougher enforcement for companies handling highly sensitive genetic data.
Sources & driving stories
TECH JACKS SOLUTIONS SECURITY COMMAND CENTER · Tech Jacks Solutions
Tech Jacks Solutions Security Command Center coverageCarnival discloses employee-account breach affecting millions
Carnival Corporation said it detected unauthorized activity in April after an employee account was deceived into giving access to a limited part of its IT systems. Reporting from WSMV and WBRZ says the notice filed in Maine put the affected total at 5,995,277 people and listed exposed data including names, addresses, email addresses, phone numbers, dates of birth, and government-issued identification numbers. Carnival said it blocked the activity, worked with outside security experts, and began notifying U.S. customers with two years of credit monitoring.
Why it matters
It shows how social engineering of a single account can still produce mass privacy exposure at a major consumer brand.
Sources & driving stories
WSMV 4 · Jordan Gartner
WSMV 4 coverageWBRZ
WBRZ coverageKrispy Kreme reaches $1.62 million breach settlement
Krispy Kreme agreed to a $1.62 million settlement resolving litigation tied to an alleged November 2024 data breach. The reported class includes U.S. residents who received notice that personal information may have been affected, including names, dates of birth, Social Security numbers, and financial account information. Reported benefits include about $75 in cash without documentation, up to $3,500 with proof of losses, one year of credit monitoring, and a June 22, 2026 claim deadline.
Why it matters
It puts a concrete price on breach-related consumer claims and moves another retail case toward closure.
Sources & driving stories
AOL
Aol coverageWorth noting
WORTH NOTING
Oregon DOC insider access hit 33,000 files
The reported months-long access window suggests sustained misuse inside a corrections agency, not a one-off intrusion.
WORTH NOTING
Booking.com partner breach fueled reservation hijacks
The report shows how stolen booking details can power convincing payment scams without breaching Booking.com's core systems.
Still unclear
OPEN QUESTION
Will more AG suits target genetic-data firms?
Bonta's filing could become a template for forcing stronger security and breach-notice standards around highly sensitive consumer data.
OPEN QUESTION
How much risk now comes from accounts?
Carnival and Booking.com both point to employee or partner access abuse as a major privacy failure mode.