23andMe has set a new bar for how bad a company’s reaction to a data breach can be, doing their utmost to create a playbook for how not to approach the aftermath of a data privacy disaster.

One of the trail blazers in consumer genetics testing, you likely know numerous people who’ve used 23andMe to fill out a family tree or track down long-lost relatives. Thanks to their influence in the market, the company has biometric data on millions of people around the world, a reality that should under normal circumstances compel a company to treat and protect such sensitive data with the utmost prioritization. 

In 23andMe’s case, it did not. 

An October 2023 data breach eventually concluded that hackers had gained access to the personal and genetic data of 6.9 million 23andMe users. After internal investigation, the company concluded that roughly 14,000 accounts had been compromised, but due to the web of users linking up through the site, hackers were able to steal the data of exponentially more individuals.

Hackers broke into the database through credential stuffing, essentially brute forcing their way through 23andMe’s security systems using usernames and passwords stolen from other breaches, as well as trying untold password combinations to access accounts. 

On one hand, this shows the cascading effect data breaches can have, as putting usernames and passwords out into the world for bad actors to utilize amplifies the risk of subsequent data breaches. On the other hand, 23andMe’s cybersecurity and data protection practices were woefully inadequate. 

The company did not require users to provide two-factor authentication, did not limit the number of sign-in attempts to dissuade credential stuffing, and did not trigger system alarms in the face of unusual sign-in activity. 

For a major company with a user base of over 10 million people, the lack of cybersecurity defenses is surprising, but for a major company with a user base of over 10 million people that deals with genetic and biometric data, that is downright indefensible. 

Since the announcement of the breach in October, 23andMe has been acting on the defensive. The company changed its terms of service on November 30, 2023 to try and prohibit legal action against 23andMe and has fought against dozens of lawsuits that have popped up over the past several months. 

One of the main defenses 23andMe has presented against these cases and one they publicly reiterated in December is that the hack lies at the feet of 23andMe customers. 

An official statement from the company reads, “Users negligently recycled and failed to update their passwords following … past security incidents, which are unrelated to 23andMe … Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the [CPRA].”

To fail to own up to data privacy malpractice is bad enough, but to try and shift blame onto paying customers when any number of cybersecurity standards could have mitigated or entirely prevented this data breach makes this saga one of the most befuddling to play out in the data privacy field.

Large portions of the legal and data protection communities have come out against 23andMe’s response to the incident, with the FTC dropping a blog on genetic testing products and data privacy last Friday. The report does not outright name 23andMe, but is timed impeccably as a response to the data breach and its happenings. 

“Protecting biometric information – including genetic data – is a top FTC priority … It’s no secret that the FTC is focused on making sure that consumers can enjoy the benefits of AI without suffering substantial harms like bias, privacy invasions, or questionable accuracy.”

For such a serious cybersecurity event, 23andMe’s blase dismissal of any responsibility and callous disregard for the basic principles of data privacy have made this one of the key events that privacy professionals will study going forward. 

How anyone could ever trust 23andMe again is a mystery and a reminder that privacy must be proactive, not reactive. Failing to heed that lesson puts your customers at risk, and eventually, your company.