Late last year, genetic-testing company 23andMe had a data breach that drew a lot of attention. The incident is again in the news and for a particular reason: The company is now blaming its customers. This is not good crisis communications. It’s also a lesson in how legal and communications strategies can collide.

We wrote about the breach last month. At first, 23andMe disclosed that 14,000 customer accounts had been accessed. On Dec. 2, it confirmed with TechCrunch that hackers in fact accessed data on 6.9 million people due to users sharing information with family with its DNA Relatives feature. The hackers accomplished their feat using passwords that were the same as those on other hacked websites (so-called credential stuffing).

23andMe faces dozens of lawsuits over the breach. On Jan. 3, TechCrunch reported on a letter the company’s law firm sent to a plaintiffs’ lawyer in which it stated that 23andMe users “negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe. Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures.”

Victim Blaming

The letter goes into other issues but, obviously, the victim blaming is what reporters grabbed onto. It’s reminiscent of other scenarios we’ve seen where a company, in legal filings, will seek to deflect blame but ends up pointing fingers at victims. This is often done in the response, called an “answer,” to the initial complaint that gets the lawsuit ball rolling. Lawyers typically don’t imagine reporters will find anything newsworthy in an answer, but that’s not always the case.

The lesson here is, Do you really want headlines like “23andMe Blames Customers for Data Thefts” (Inc. magazine)? It might be a good legal strategy to say your customers are at fault. It’s a terrible communications strategy — even if it’s (at least partly) true.

In addition, security experts are opining that 23andMe could have taken — but apparently didn’t — measures to ward off credential-stuffing breaches. It could have disallowed passwords that had been compromised. It could have required two-factor authorization, with which customers, after inputting ID and password, are sent a code to also input. Too onerous, you say? It’s exactly what 23andMe instituted — after the breach became public. It also required customers to change their passwords.

It’s the messiest attempt at PR recovery we’ve seen in a minute, and it’s unlikely to go over well with over 30 plaintiffs’ lawyers. https://t.co/7QkS5mdacb

— ExtremeTech (@ExtremeTech) January 5, 2024

To be fair, experts disagree about whether customers should be apportioned some blame for the situation. But it’s not exactly a secret that people recycle passwords (hackers apparently know about it).

Privacy, Security

And of course 23andMe, like all companies, emphasizes how important privacy and security are to its mission. It doesn’t make sense to then turn around and blame your customers.

This is from 23andMe’s summary of its privacy statement: “Your privacy comes first. When you explore your DNA with 23andMe, you entrust us with important personal information. That’s why, since day one, protecting your privacy has been our number one priority.” Its “privacy overview” begins, “At 23andMe, Privacy is in our DNA.”

Is it? Some customers are begging to differ.

Photo Credit: Jennie Book/Shutterstock

Sign up for our free weekly newsletter on crisis communications. Each week we highlight a crisis story in the news or a survey or study with an eye toward the type of best practices and strategies you can put to work each day. Click here to subscribe.