A Masterclass in What Not to Do
Lessons from 23andMe
Years ago, in the hopes of finding some far-flung branches on my (very pruned) family tree, I swabbed my cheek and sent a sample of my DNA to 23andMe, a Silicon Valley genetic testing darling whose main office happens to be about a mile away from where I now live.
In mid-August of 2023, a hacker advertised a set of 23andMe user data, claiming that it included profiles of a million users of Ashkenazi Jewish descent and a hundred thousand of Chinese users and that at this point they had already been in contact with 23andMe.
On October 6, 23andMe posted a mealymouthed blog post on their site. It did not mention the specific targeting.
On October 7, Hamas attacked Israel in what is now considered the worst intelligence failure in Israel’s history.
On October 12, 23andMe sent out an email to their users from a no-reply address with the exciting subject line “Update to our customers”. It mentioned that they “recently learned” that “certain profile information” that users chose to share was accessed by unauthorized users. The email was careful to note that the data did not appear to be a result of a “data security within [their] systems” and that they’re doing All Sort of Things about this, namely, engaging law enforcement, conducting their own investigation, and (talk about putting the horse waaay behind the cart) requiring all users to reset their passwords. They spent a paragraph showing off their security credentials and encouraging me to set up MFA.
On October 13, they followed up their email with one notifying me specifically that “DNA Relatives profile information [I] provided in this feature was exposed to the threat actor.”
At no point did they explain what the heck that meant, apologize, express empathy, or show any indication that they gave a single solitary crap about anything except their reputation and legal exposure.
On October 18, hackers announced the leak of millions more profiles. There has been no follow-up announcement from 23andMe.
This is how a large corporation does not rise to the occasion.
Lessons Learned
In a world where data breaches and cyber-attacks are becoming increasingly common, the way a company responds to these crises speaks volumes about its values and integrity. 23andMe's recent handling of their data breach leaves much to be desired and brings some crucial lessons.
Be Transparent: Don't wait for the situation to escalate. If there's a problem, especially one that affects your clients or stakeholders, communicate openly about it. Don’t be like 23andMe, linking to an unclear article. Tell me exactly what data was stolen and how it affects me.
Show Empathy: A simple apology can go a long way. Acknowledge the inconvenience or harm caused and outline the steps you're taking to fix things. Empathy is a business imperative, but it’s also about your integrity.
Be Proactive, Not Just Reactive: Implement robust cybersecurity measures and have a crisis management plan in place. Being prepared can make all the difference when (not if) a crisis occurs.
Balance Self-Protection: While it's essential to protect your legal interests, don't lose sight of your ethical responsibilities to your clients. Few, if any, of the affected 23andMe customers care how the breach occurred. We care about the impact. We care about our safety in the world that is increasingly hostile to our existence.
Engage, Don't Just Broadcast: Use communication channels that encourage dialogue and feedback. Your clients should feel that their voices are heard, especially in times of crisis.
As solopreneurs, nonprofits, and small businesses, we may not have the resources of a giant like 23andMe, but we do have something more valuable: the ability to build genuine, trust-based relationships with our clients and communities. Let's not squander that by falling into the trap of poor communication and lack of empathy.
In the end, rising to the occasion isn't just about navigating a crisis successfully; it's about coming out of it with your integrity intact and your relationships stronger than ever.
I have permanently deleted my profile from 23andMe. Well, as permanently as is possible these days.
If you’re concerned about the breach, read this guide from the Electronic Frontier Foundation.