California AG Sues 23andMe Over Data Breach

California AG Files Lawsuit Over 23andMe Data Breach

California Attorney General Rob Bonta has filed a lawsuit against the genetic testing company formerly known as 23andMe over its 2023 data breach that affected almost 7 million Americans. The lawsuit alleges multiple violations of state consumer privacy and data protection laws.

23andMe is a provider of direct-to-consumer DNA testing services. Consumers purchase kits for collecting saliva samples, which are sent to the company for DNA analysis. Consumers are given a report detailing their ancestry, ethnicity, and genetic health predispositions, and can access a platform that allows them to trace their biological relatives.

In 2023, 23andMe discovered that around 14,000 accounts had been subject to unauthorized access over a period of around 5 months, resulting in a breach of the personal and genetic information of 6.9 million individuals, including 855,541 California residents. Access to the accounts was gained using a technique known as credential stuffing.

Inside the Charter data breach: hackers leak 13M+ customer data

The notorious hacker group ShinyHunters just posted Charter data on its dark web blog, claiming that it failed to reach an agreement with the company. The message most likely indicates that Charter refused to meet the hackers’ ransom demands.

“The company failed to reach an agreement with us despite our incredible patience, all the chances and offers were made,” ShinyHunters said in its dark web post.

In retaliation, the attackers claim they’ve released 42 million Charter records stolen from the company. Charter Communications, better known as Spectrum to its customers, is the largest cable operator in the US and the fifth-largest phone provider in the country.

Meanwhile, Charter says the company is aware of hacker claims and denies any sensitive data was stolen.

“We are aware of the situation, following our security protocols and are working with appropriate authorities. No sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor as a result of recent activity,” the company's spokeswoman told Cybernews.

Why more cybersecurity laws have not meant lower cyber losses

Over the last decade, cyber incidents have become a persistent threat to a range of targets, from critical infrastructure to individual households. From ransomware attacks to supply chain compromises to phishing campaigns, cyber threats cascaded across all areas. During the same period, states ramped up cybersecurity legislative efforts, introducing over 2,700 cybersecurity bills and passing over 700.

This raises a more precise question: Are states introducing more cybersecurity bills primarily in response to rising cyber complaints and losses, or are broader forces, such as policy diffusion, economic exposure, and shifting legislative agendas, also shaping that activity?

This commentary offers a preliminary analysis by pairing data from two sources: state-level cybersecurity legislation activity sourced from the National Conference of State Legislatures (NCSL) website, and state-level victimization and loss metrics from the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3).

Raising the Cybersecurity Stakes: Ante up for the Agentic Era

Over the past few years, GenAI platforms have matured from pattern-matching large language models (LLMs) to tool-calling agents. Many enterprises now report that the majority of their code is written by AI. However, threat actors have also upped the ante – agentic attacks shape offense faster than human defenses can respond.

In the last decade, the fundamental questions of cybersecurity have evolved. When CISOs asked, “What do I have?”, the industry provided context on assets. When they asked, “What is important?”, the industry provided prioritization. When they asked, “How do I fix it?”, the industry provided remediation.

Now, virtually every cybersecurity solution has implemented conversational AI that can make recommendations, but manual remediation cannot keep pace with AI-powered cyberattacks.

The agentic era is forcing manual remediation processes to evolve rapidly. CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale.

Cybersecurity trends in SEC filings

In 2023, the Securities and Exchange Commission (SEC) required public companies to include a new section in their 10-K annual filings that is devoted to cybersecurity. This section is meant to address “cybersecurity risk management, strategy, governance and incidents.”

I got curious as to what senior cybersecurity executives are conveying about their companies in these reports. I turned this into a research project that also gives me a reason to test out some AI techniques as well.

The article is broken into two sections: My findings regarding Section 1.C for the top 200 companies in the S&P, and the second being my methods used to include some AI tech.

10-K Section 1.C

Some really great analysis of Section 1.C has already been done to include a Harvard Law School study, a PWC study and an International Journal of Accounting Information Systems paper. These were great reads, but both were done over a year ago with the first batch of filings.

NYDFS Issues Guidance on Frontier AI Cyber Risks, Heightened Cyber Threat Environments

The New York Department of Financial Services (NYDFS) has issued new guidance to entities subject to its cybersecurity regulation (regulated entities), including on cybersecurity threats associated with frontier AI models.

On May 21, 2026, NYDFS issued two industry letters: an advisory to chief information security officers (CISOs) of regulated entities on heightened cybersecurity risks posed by "frontier AI models" capable of accelerating vulnerability discovery and exploit development (the AI Advisory), and broader guidance on measures regulated entities should consider when operating in a "heightened cybersecurity threat environment" (the Guidance). The two documents are meant to be read together, with the AI Advisory referencing specific sections of the Guidance that entities should review to respond to AI-driven threats.

Regulated entities should review both letters carefully and assess their practices against NYDFS's guidance. NYDFS is known to follow such industry guidance with targeted enforcement, and regulated entities should expect NYDFS to probe how they have weighed the recommendations in the letters in both enforcement actions and examinations.