What Not To Do: 23andMe Post-Breach Comms Review

Phil Muncaster considers the lessons that businesses can learn from 23andMe’s controversial incident response strategy

A major data breach sits tight on every business leader’s list of worst nightmares. But what happens next is critical. A well-practised and carefully crafted response can do much to mitigate the financial and reputational impact. In some cases, it can even burnish the company’s reputation among its customers. Unfortunately, that doesn’t appear to be the case at genetic testing business 23andMe.

The decision that 23andMe took to blame the victims for a serious data breach (and, in the same breath, downplay the impact of it on them) has baffled many experts. But in the spirit of looking for a silver lining, the incident can provide a valuable example of the importance of crisis comms expertise in any breach response.

What happened?

The Californian biotech outfit 23andMe first notified users about a cyber incident in early October 2023. However, at least one threat actor was known to be advertising hundreds of terabytes of customer data for sale as far back as August. It wasn’t until two months later, in December 2023, that a regulatory filing from 23andMe revealed what had happened.

According to its telling, hackers compromised the accounts of 0.1% of customers – estimated at around 14,000 – through classic credential stuffing techniques. That means they used compromised passwords that had been reused by customers to access the accounts. However, the hackers subsequently used this access to view and scrape profile information on other users’ ancestry via an opt-in ‘DNA Relatives’ feature. In total, 6.9 million users were impacted, with compromised information including names, birth years, relationship labels, percentage of DNA shared with relatives, ancestry reports and self-reported location.

This opened the floodgates to a reported 30+ class action lawsuits.

23andMe’s “they-a” culpa

A much-publicised letter from 23andMe’s lawyers to representatives of hundreds of these litigants takes an aggressive line against their claims. It claims there was no “breach” at the firm because the incident stems from preventable credential stuffing of users’ accounts, which was their responsibility.

“Users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” it notes. “Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures.”

“I don’t know which incident response playbook this company has decided to follow, but it’s up there with The Chronicles of Narnia as a classic work of fiction” Brian Higgins

The lawyers also argue that even if a “violation” did occur, it has been remediated, because 23andMe notified law enforcement, reset all passwords and began forcing customers to use two-factor authentication (2FA) to log in. Finally, the firm argues: “The information that the unauthorised actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, driver’s license number, or any payment or financial information.”

Experts Assured Intelligence spoke to question this narrative, noting that phishing fraudsters are past masters at using any personal information to elicit more data for identity fraud and financial theft.

B“Cyber criminals will leverage the data to spear phish and target the users to socially engineer them to click links and open attachments,” KnowBe4 security awareness advocate, James McQuiggan, tells Assured Intelligence.

“It’s difficult to attribute the millions of phishing emails that go out and the success of those to a specific attack like 23andMe, but no doubt the data has either been sold to other cyber criminal groups or is being used to target the victims of 23andMe whose accounts were exposed.”

Comparitech security specialist, Brian Higgins, goes even further. “The purpose of cyber criminals is to make money, and they know every methodology for every data type,” he tells Assured Intelligence. “I don’t know which incident response playbook this company has decided to follow, but it seems to be up there with The Chronicles of Narnia as a classic work of fiction.”

Why comms should do the driving

Although the letter was theoretically written by and for lawyers on two sides of an impending legal dispute, experts believe it still has important lessons to teach about breach response. For Yvonne Eskenzi, co-founder of cybersecurity PR agency Eskenzi PR, the case is a classic illustration of why comms should take the lead following a serious security breach.

“In a crisis scenario – particularly one at risk of legal action – it can be tempting to let legal departments lead communications. However, this approach risks striking the wrong tone with stakeholders and customers, as in the instance of 23andMe,” she tells Assured Intelligence.

“Comms specialists know how to communicate in a way that gets across important information and the company perspective and will flag issues that could arise with strategies and wording.”

We’ve compiled a list of five reasons why comms should take the lead following such incidents:

1: Angry customers and tarnished reputation

23andMe customers were already angry that the firm changed its Terms of Service following the incident to make filing a class action suit harder. The firm’s lawyers risk inflaming these sentiments and further tarnishing the brand, argues Eskenzi.

“Following a breach, organisations must examine their own security practices and implement steps to prevent it from happening again, and then communicate this to stakeholders,” she says. “Failure to do this is an easy way to enrage victims, and throwing accusations around stokes the legal fire.”

2: Financial impact

Lost customers and a tarnished brand can have a direct financial impact on any organisation. Over half (59%) of UK online consumers would stop shopping at a retailer if it were a victim of a cyber attack, according to Akamai research. Additionally, IBM claims that “lost business” – which includes the “cost of lost customers and acquiring new customers, reputation losses and diminished goodwill” – comprises 29% of total average breach costs.

“A poorly handled cyber attack can be costly both financially and reputationally,” argues Eskenzi. “Statements like these are damage control. They shouldn’t throw your team or customers into more chaos. Act confidently, but with caution.”

3: Lawyers can dehumanise incidents

At times like these, customers want empathy, argues Kate Hartley, co-founder of crisis comms training provider Polpeo.

“What is it like to be the victim here? Act based on what people need from you, not just what you need to cover up the crisis,” she tells Assured Intelligence. “Think what it’s like to have your data stolen, and then be told it’s your fault. Then decide what to do.”

4: Crisis management should be a team effort

Taking a comms- rather than legal-led approach may improve consensual decision-making and ultimately deliver a better outcome.

“Just because it’s legal doesn’t make it right. Leaders should listen to advice from their communications people and their lawyers – and then decide what’s right for the business based on a combination of legal, moral and reputation considerations,” argues Hartley. “Doing the right thing by your customers is a good place to start.”

5: Lawyers can leave an information black hole

23andMe customer Alyson Hu filed a class action lawsuit on December 26, noting that a breach notification from the firm was concerningly light on detail.

“Since the [23andMe data breach] occurred, several news sources have reported that threat actors listed mass amounts of the stolen data for sale on the dark web,” Hu reportedly alleged. “Defendant has failed to address these reports, failed to inform victims when and how the data breach occurred and has even failed to say whether the security threat is still a risk to customers.”