23andMe: Not Your Grampa’s Data Breach

Thom Weidlich 12.07.23


The data hack at genetic-testing company 23andMe, which we got an inkling of in early October, is mutating a bit out of control. Given that the data accessed is at the nucleus of the company’s business model, 23andMe should be more forthcoming in its public communications.

In early October, a hacker claimed to have stolen DNA information of 23andMe users. The company confirmed the intrusion in an Oct. 10 filing with the U.S. Securities and Exchange Commission; it disclosed that “certain profile information” users share with relatives in its DNA Relatives feature had been breached from customers’ accounts. The hackers used passwords that were the same as on other hacked websites (so-called credential stuffing).

The company’s regulatory submission wasn’t accompanied by a press release, as far as we can tell. Then on Friday, Dec. 1, 23andMe updated the filing, disclosing that the “threat actor” accessed “a very small percentage (0.1 percent) of user accounts.” The company has about 14 million customers, so that equates to 14,000.

Ancestry Information

23andMe was also more forthcoming on the data involved, which included “ancestry information,” “health-related information based upon the user’s genetics” and, again, the information shared in the DNA Relatives feature. It said it was “working to remove this information from the public domain” and also notifying impacted customers as required by law.

But what it wasn’t doing was speaking out publicly, or not much (it has been providing sporadic blog updates). This seems a mistake. Think about it: All data breaches are horrible, but how many disclose your customers’ genetic blueprint (or aspects of it)? You may have your grandparents’ DNA, but this isn’t your grandparents’ data breach. Gizmodo headline: “Time to Change Your DNA.”

The data in question is central to the company’s business, and it should have been better prepared for this crisis — or at least give the impression that it was prepared. Instead, it’s giving the impression that it’s being evasive.

DNA Relatives

It gets worse. On Saturday (the day after the most recent SEC filing), 23andMe confirmed with TechCrunch that hackers in fact accessed the data on 6.9 million people due to the connectedness of DNA Relatives. That’s a lot more than 14,000 — in fact, it’s about half its customers. Why isn’t the company being more open about this? As TechCrunch put it, it wasn’t known “why 23andMe did not share these numbers in its disclosure on Friday.”

It seems like the company is now spoon feeding the bigger numbers to media, the prior-hiddenness of which is becoming part of the story. It also included them in a blog update Tuesday. The lack of public comment is a problem (there’s been some, especially in the Gizmodopiece). Doesn’t 23andMe realize this is an attack on its core — on its DNA, so to speak — and by extension its reputation?

Photo Credit: Jennie Book/Shutterstock

Sign up for our free weekly newsletter on crisis communications. Each week we highlight a crisis story in the news or a survey or study with an eye toward the type of best practices and strategies you can put to work each day. Click here to subscribe. 

Related:New Book Offers Considerations for Communicating Data Breaches