Skip to content

7 Key Lessons for CISOs from the 2023 23andMe Cyber Attack

The 2023 cyber attack on 23andMe represents one of the most alarming breaches in recent years, demonstrating the devastating consequences of inadequate cybersecurity measures in an era where personal data is a prime target.

As one of the world’s most well-known genetic testing companies, 23andMe held sensitive information about millions of customers, including personal health data and DNA-related insights. When hackers gained access to this treasure trove of information through a large-scale credential stuffing attack, it set off a chain reaction of lawsuits, regulatory scrutiny, financial turmoil, and, ultimately, a bankruptcy filing.

This incident serves as a stark warning to CISOs across industries: failing to prioritize robust security practices can lead to existential threats for organizations.

The Scale of the 23andMe Breach

The breach impacted approximately 7 million customers, exposing personal details such as full names, birth years, geographic locations, and genetic ancestry data. For a company like 23andMe, whose entire business model revolves around the trust and confidentiality of highly sensitive genetic information, this breach was catastrophic.

Unlike traditional cyberattacks that compromise financial records or login credentials, this breach involved deeply personal data that cannot be changed—DNA information is permanent, making the consequences far more severe for affected individuals.

The attack itself was not the result of a sophisticated zero-day exploit or nation-state hacking campaign. Instead, hackers used a credential stuffing technique, in which they took usernames and passwords from previous unrelated data breaches and used automated tools to attempt logins across 23andMe’s platform.

Because many users reuse passwords across multiple sites, the attackers were able to gain access to millions of accounts. Once inside, they leveraged 23andMe’s “DNA Relatives” feature to extract additional customer data, significantly amplifying the scope of the breach.

The Aftermath: Legal, Regulatory, and Financial Fallout

The fallout from the attack was swift and severe. More than 40 class-action lawsuits were filed against 23andMe in the wake of the breach, with 35,000 customers initiating or threatening arbitration claims.

The Federal Trade Commission (FTC) launched an investigation into the company’s data security practices, and attorneys general from 42 U.S. states and the District of Columbia began probing the breach. Internationally, 12 foreign regulators, including those from Canada and the U.K., initiated inquiries into the handling of customer data.

Financially, the breach placed an enormous strain on 23andMe. The company had to pay a $30 million settlement to resolve some lawsuits, but legal battles continued to drag on, increasing legal costs and further damaging the company’s financial standing. Customers lost trust in the brand, leading to a drop in new subscriptions and revenue. Investors grew wary, leading to declining market confidence.

Eventually, 23andMe filed for bankruptcy, marking one of the most significant instances of a cybersecurity breach directly contributing to a company’s financial collapse. While other companies have suffered cyberattacks and survived, the nature of 23andMe’s business—handling sensitive genetic data—meant that trust was difficult, if not impossible, to rebuild. The breach effectively crippled the company’s ability to operate.

Why This Breach Is a Wake-Up Call for CISOs

For Chief Information Security Officers (CISOs), the 23andMe breach underscores several critical lessons in cybersecurity. The attack was preventable—stronger authentication policies, proactive monitoring for credential stuffing attempts, and a robust incident response plan could have mitigated the damage or stopped the breach altogether.

This incident highlights the importance of securing sensitive personal data, enforcing multi-factor authentication (MFA), preparing for legal and regulatory fallout, and ensuring cybersecurity is a core pillar of business resilience.

In the sections that follow, we will examine seven key lessons from the 23andMe breach that every CISO must take to heart in order to prevent similar disasters.

Lesson 1: The Danger of Credential Stuffing Attacks

The 2023 23andMe cyber attack highlights a critical yet often overlooked cybersecurity threat: credential stuffing. This type of attack exploits human behavior—namely, the tendency to reuse passwords across multiple online accounts. It is a low-effort, high-reward attack technique for cybercriminals, making it one of the most common threats facing businesses today.

In the case of 23andMe, hackers leveraged this method to gain unauthorized access to millions of customer accounts, ultimately leading to a massive data breach with severe financial, legal, and reputational consequences.

This lesson emphasizes the dangers of credential stuffing, the necessity of multi-factor authentication (MFA), and the importance of enforcing strict authentication policies to mitigate such risks.

How the 23andMe Breach Occurred Due to Credential Stuffing

Credential stuffing attacks rely on previously compromised username-password pairs that have been leaked from other breaches. Cybercriminals use automated scripts to test these stolen credentials across different platforms, exploiting users who habitually reuse passwords.

In the case of 23andMe, hackers did not breach the company’s internal systems directly. Instead, they capitalized on the weak security practices of individual users who had reused passwords that had already been compromised elsewhere. Once they successfully accessed accounts, they took advantage of 23andMe’s “DNA Relatives” feature, which allowed them to collect additional sensitive information from other linked accounts. This exponentially increased the scale of the breach.

Why Multi-Factor Authentication (MFA) is Essential

One of the biggest failings in this breach was 23andMe’s lax approach to authentication security. At the time of the attack, 23andMe did not enforce mandatory multi-factor authentication (MFA), despite handling highly sensitive personal and genetic data.

MFA is a critical security measure that adds an additional layer of protection beyond just a username and password. It typically involves:

  1. Something you know – A password or PIN.
  2. Something you have – A mobile authentication app, a security key, or SMS verification.
  3. Something you are – Biometric authentication like fingerprint or facial recognition.

Had MFA been mandatory, the credential stuffing attack would have been largely ineffective because stolen passwords alone wouldn’t have been sufficient to access accounts. This highlights a key takeaway for CISOs: If your organization handles sensitive customer data, MFA should not be optional—it should be enforced by default.

Educating Users on Password Hygiene

While implementing strong authentication mechanisms is crucial, user education remains a fundamental pillar of cybersecurity. Many breaches, including 23andMe’s, exploit human error—specifically, the reuse of weak or previously compromised passwords.

CISOs should lead comprehensive security awareness programs that educate users about:

  • The dangers of password reuse: Users must understand that using the same password across multiple sites significantly increases the risk of credential stuffing attacks.
  • How to create strong passwords: Encourage users to adopt passphrases instead of simple passwords (e.g., “CorrectHorseBatteryStaple” is stronger than “Password123”).
  • The use of password managers: These tools generate and store complex, unique passwords for every account, reducing reliance on weak passwords.
  • How to check if credentials have been compromised: Websites like Have I Been Pwned? allow users to check if their login credentials have been exposed in past breaches.

Organizations can reinforce security hygiene by:
✅ Sending regular security reminders about password best practices.
✅ Running internal phishing simulations to test employee awareness.
✅ Providing automated password health checks for users.

Enforcing Stricter Authentication Policies

CISOs must go beyond education and implement enforceable authentication policies that significantly reduce the risk of credential stuffing. This includes:

1. Mandatory Multi-Factor Authentication (MFA)

  • Ensure that MFA is required for all user and employee accounts, especially those accessing sensitive data.
  • Implement phishing-resistant MFA, such as security keys or app-based authentication, rather than SMS-based codes (which can be intercepted).

2. Password Complexity and Rotation Policies

  • Require passwords to be long, complex, and unique (e.g., at least 12-16 characters with a mix of uppercase, lowercase, numbers, and symbols).
  • Implement automated password screening against known breached passwords.
  • Enforce periodic password resets and disallow users from reusing old passwords.

3. Adaptive and Risk-Based Authentication

  • Use AI-driven risk-based authentication, where additional security measures are triggered based on unusual login patterns (e.g., logging in from an unrecognized device or location).
  • Implement account lockout mechanisms that temporarily block access after a set number of failed login attempts, preventing automated credential stuffing attacks.

4. Continuous Monitoring and Threat Detection

  • Deploy real-time monitoring tools to detect and block credential stuffing attempts.
  • Implement AI-driven anomaly detection that flags unusual login behaviors and alerts security teams.

Key Takeaways for CISOs

The 23andMe breach serves as a clear warning that credential stuffing remains a major cybersecurity risk. It underscores the need for stronger authentication mechanisms, proactive user education, and enforceable security policies to prevent similar attacks.

✅ MFA must be mandatory, not optional.
✅ Users should be educated on password security best practices.
✅ CISOs must enforce strong authentication policies and proactive monitoring.
✅ Organizations should adopt AI-driven security measures to detect suspicious login activities.

By learning from 23andMe’s mistakes, CISOs can proactively defend against credential stuffing attacks and protect both their organizations and their customers from similar security breaches.

Lesson 2: The Consequences of Poor Data Protection

The 2023 23andMe cyber attack serves as a critical reminder that data is the ultimate prize for attackers—and when that data includes personal genetic information, the stakes are even higher. Unlike financial data, which can be reset (such as credit card numbers), genetic data is immutable. Once exposed, it can be misused indefinitely.

This lesson focuses on why CISOs must treat sensitive data as a prime target, the importance of encryption and segmentation, and best practices for securing high-value data.

The Nature of the Data Compromised: Personal Genetic Information

Unlike typical breaches that expose credit card numbers, email addresses, or passwords, the 23andMe hack compromised highly sensitive genetic and personal data of nearly 7 million users. This data included:

  • Names, email addresses, and locations
  • Genealogy data (ancestry matches and relationships)
  • Health-related genetic predispositions

Such data cannot be changed or reset and has long-term implications for affected individuals, including:

  • Discrimination risks – Potential misuse by insurance companies or employers.
  • Privacy violations – The exposure of family connections, potentially leading to identity theft or social engineering attacks.
  • Genetic identity theft – The risk of criminals using genetic data for fraud.

The permanence of genetic data makes breaches like this particularly damaging. It underscores the need for robust data protection measures to prevent unauthorized access.

Why CISOs Must Treat Sensitive Data as a Prime Target

One of the biggest failings in the 23andMe breach was inadequate data protection at both the technical and policy levels. Organizations handling sensitive personal data must assume they are a prime target for attackers and implement zero-trust principles to mitigate risks.

1. Sensitive Data is a High-Value Target

Personal and genetic data is valuable on the dark web, where cybercriminals sell stolen information for financial gain. Unlike stolen passwords (which can be changed), leaked genetic information remains permanently compromised.

2. Compliance Alone is Not Enough

Many organizations focus on regulatory compliance (e.g., GDPR, CCPA) without going beyond the minimum security requirements. Compliance should be the starting point, not the end goal. CISOs must enforce robust security policies that exceed regulatory mandates.

3. Data Should Be Protected at All Levels

Security teams must implement multi-layered protection to safeguard data at:
✅ Rest (stored data) – Using strong encryption.
✅ Transit (moving data) – Using TLS/SSL encryption.
✅ Access (who can view the data) – Using strict access controls.

Best Practices for Encrypting and Segmenting High-Value Data

To prevent breaches like 23andMe’s, CISOs should implement best-in-class data protection strategies, including encryption, segmentation, and strict access controls.

1. End-to-End Encryption for All Sensitive Data

Encryption ensures that even if attackers gain access, they cannot use the stolen data.

  • Encrypt genetic and personal data both at rest and in transit.
  • Use strong encryption standards such as AES-256 for storage and TLS 1.3 for transmission.
  • Implement homomorphic encryption where applicable, allowing secure data processing without decryption.

Had 23andMe fully encrypted genetic data, hackers would have stolen unusable information.

2. Data Segmentation to Limit Exposure

23andMe’s biggest mistake was failing to segregate sensitive data from general user accounts.

  • Separate customer authentication data from genetic data to reduce exposure.
  • Use database segmentation to ensure that even if one dataset is breached, the entire system isn’t compromised.
  • Implement access control lists (ACLs) and role-based access control (RBAC) to restrict access based on user roles.

Example: If a hacker breaches a user’s account, they should not be able to access connected family members’ genetic data. Data segmentation would have prevented this escalation.

3. Zero Trust Security Model for Data Access

A Zero Trust model ensures that no entity—inside or outside the organization—is automatically trusted.

  • Require continuous authentication for sensitive data access.
  • Use privileged access management (PAM) to limit exposure to only those who absolutely need access.
  • Implement just-in-time (JIT) access—users should only have access for a limited period, reducing risk.

Had Zero Trust principles been implemented, attackers wouldn’t have been able to move laterally across the 23andMe system.

4. Real-Time Threat Detection and Monitoring

CISOs should implement AI-driven security monitoring to detect suspicious activity in real time.

  • Use AI-based anomaly detection to flag unusual data access patterns.
  • Deploy user behavior analytics (UBA) to identify abnormal behavior—such as mass data downloads.
  • Implement automated response mechanisms to immediately lock accounts showing signs of compromise.

A real-time monitoring system could have detected and mitigated the attack early, reducing the breach’s scale.

Key Takeaways for CISOs

The 23andMe breach highlights the severe consequences of poor data protection. Sensitive data—especially genetic and personal information—requires beyond-standard security.

✅ Encrypt all sensitive data at rest and in transit.
✅ Segment data to minimize breach impact.
✅ Adopt Zero Trust principles for data access.
✅ Deploy AI-driven security monitoring for real-time threat detection.

By treating sensitive data as the ultimate target, CISOs can prevent catastrophic breaches and protect their organizations from financial, legal, and reputational fallout.

Lesson 3: The Legal and Regulatory Fallout of a Data Breach

The 2023 23andMe cyber attack not only compromised 7 million customers’ sensitive data, but also triggered a massive legal and regulatory response. The aftermath included:

  • Over 40 class-action lawsuits
  • 35,000 arbitration claims
  • A Federal Trade Commission (FTC) investigation
  • 42 state attorneys general launching probes
  • 12 international regulators demanding accountability

This level of legal scrutiny should serve as a wake-up call for CISOs: a major data breach can quickly turn into a legal and financial disaster. Organizations that fail to protect sensitive data face crippling lawsuits, government penalties, and long-term reputational damage.

This lesson explores why regulatory compliance is crucial, the consequences of failing to meet data protection laws, and how CISOs can implement proactive legal and compliance strategies to avoid the fate of 23andMe.

Overview of the Lawsuits and Regulatory Actions

When 23andMe disclosed its data breach, legal and regulatory scrutiny escalated rapidly. The company faced multiple investigations and legal actions from different entities:

1. Class-Action Lawsuits and Arbitration Claims

Customers sued 23andMe for failing to protect their personal and genetic data, with claims citing:

  • Negligence – Inadequate security practices led to the breach.
  • Privacy Violations – Exposure of sensitive genetic information.
  • Failure to Notify – Delayed breach disclosures increased risks for users.

The sheer scale of legal action—over 40 lawsuits and 35,000 arbitration claims—forced 23andMe into costly settlements exceeding $30 million, with more pending litigation complicating the company’s financial future.

2. Federal Trade Commission (FTC) Investigation

The FTC launched a probe into whether 23andMe violated consumer protection laws, particularly in:

  • Misrepresenting its security standards
  • Failing to adequately protect user data
  • Not properly informing customers about the risks

If found guilty of violations, the company could have faced hefty fines and mandatory compliance orders.

3. State Attorney General Investigations

A coalition of 42 state attorneys general (plus Washington, D.C.) began an investigation into potential violations of consumer protection and data privacy laws. This level of scrutiny signals that state regulators are aggressively targeting cybersecurity failures.

4. International Regulatory Actions

Since 23andMe had users worldwide, global regulators demanded accountability:

  • Canada and the U.K. launched a joint investigation into privacy violations.
  • Other EU regulators likely assessed GDPR violations, which could result in fines of up to 4% of annual revenue.

The Importance of Compliance with GDPR, CCPA, and Other Data Privacy Laws

Had 23andMe fully complied with global data protection laws, the impact of the breach could have been minimized. CISOs must prioritize compliance with major regulations, including:

1. General Data Protection Regulation (GDPR) – EU

The GDPR enforces strict data protection requirements:
✅ Companies must encrypt personal data and implement privacy by design.
✅ Breach notifications must be made within 72 hours.
✅ Non-compliance penalties reach €20 million or 4% of annual global revenue.

Potential GDPR fines from this breach could have been financially devastating for 23andMe.

2. California Consumer Privacy Act (CCPA) – U.S.

Since 23andMe operates in California, CCPA compliance was crucial:
✅ Consumers have the right to know what data is collected.
✅ Users can opt out of data sharing.
✅ Companies face severe penalties for data breaches.

A CCPA violation can result in fines of up to $7,500 per affected customer—meaning 23andMe’s 7 million affected users could have triggered massive fines.

3. Other U.S. State and Federal Privacy Laws

Other states—like New York, Colorado, and Virginia—have enacted their own data privacy laws. The FTC and SEC are also increasing cybersecurity mandates, making compliance even more complex.

Proactive Legal and Compliance Strategies for CISOs

To avoid the legal chaos that 23andMe faced, CISOs must take proactive steps to strengthen regulatory compliance and reduce legal exposure.

1. Implement a Robust Data Protection Framework

  • Encrypt all personally identifiable information (PII) and sensitive data.
  • Enforce access controls and multi-factor authentication (MFA) to prevent credential-based attacks.
  • Deploy real-time security monitoring to detect and contain breaches early.

Had 23andMe implemented stricter data security measures, it could have avoided regulatory penalties.

2. Align Cybersecurity with Legal and Compliance Teams

  • CISOs should work closely with legal departments to stay ahead of evolving privacy laws.
  • Conduct regular compliance audits to ensure adherence to GDPR, CCPA, and other frameworks.
  • Implement privacy impact assessments (PIAs) before launching new data initiatives.

An integrated legal-cybersecurity approach minimizes risk exposure.

3. Establish a Comprehensive Breach Response Plan

  • Create a regulatory response team to handle investigations efficiently.
  • Develop standard operating procedures (SOPs) for breach notification compliance.
  • Work with legal counsel to draft incident response playbooks.

If 23andMe had an efficient breach response plan, it could have reduced lawsuits and regulatory scrutiny.

4. Secure Cyber Insurance to Mitigate Financial Risk

Cyber insurance can help cover legal fees, settlements, and regulatory fines.

  • Ensure policies specifically cover GDPR and CCPA penalties.
  • Regularly assess coverage limits to match evolving risks.

Given its legal liabilities, 23andMe’s financial situation would have been less severe if it had proper cyber insurance.

Key Takeaways for CISOs

The 23andMe legal fallout proves that data breaches aren’t just cybersecurity problems—they are business and legal disasters. CISOs must:

✅ Prioritize compliance with GDPR, CCPA, and other data privacy laws.
✅ Work closely with legal teams to ensure proactive risk mitigation.
✅ Implement a robust breach response strategy to avoid regulatory penalties.
✅ Secure cyber insurance to protect against financial losses from lawsuits.

CISOs who treat cybersecurity as a legal and compliance issue will be better prepared to protect their organizations from costly regulatory and legal battles.

Lesson 4: The High Cost of Incident Response Failures

In the aftermath of the 2023 23andMe cyber attack, it became apparent that the company’s incident response (IR) strategy was inadequate. The breach, which exposed sensitive genetic information of 7 million customers, escalated into a legal and financial disaster largely due to the delayed and disorganized response.

This failure not only compounded the damage but also deepened the reputational impact, leading to 40+ class-action lawsuits, arbitration claims, and an ongoing investigation by the Federal Trade Commission (FTC), among others.

This lesson explores how poor incident response made the situation worse, what CISOs can learn from 23andMe’s mistakes, and the importance of having a well-defined, proactive breach response strategy to mitigate the far-reaching consequences of a cyber attack.

How 23andMe’s Incident Response Worsened the Situation

The 23andMe cyber attack highlighted several key failures in their incident response that had a lasting impact on the company. While details about the exact timeline of the breach were scarce, it became clear that the company struggled to manage the attack effectively in several ways:

1. Delayed Detection and Containment

One of the most critical failures in 23andMe’s incident response was the delayed detection of the breach. Credential stuffing attacks, which were believed to be the attack vector, could have been caught much earlier with effective monitoring systems and real-time threat detection. Instead, the breach continued for a significant period, allowing hackers access to millions of sensitive records.

Without quick identification, the attackers had ample time to exploit the compromised data, further exacerbating the breach’s scope and impact. Had AI-driven threat detection tools been in place, 23andMe may have been able to identify abnormal login patterns and respond far sooner.

2. Ineffective Communication and Public Disclosure

Another notable failure was the lack of effective communication both internally and externally. 23andMe did not provide clear, timely, and transparent information regarding the breach. Customers, as well as regulatory bodies, were left to discover the details of the incident through court filings and lawsuits rather than proactive disclosures from the company.

A delayed response to regulatory bodies also triggered investigations from multiple agencies, including the FTC and attorneys general from 42 states, further straining the company’s legal position.

This situation underscores the need for a well-crafted communication strategy during a breach. CISOs must prepare clear messaging for both the public and the internal teams to ensure that accurate information is shared quickly, reducing panic and confusion.

The Importance of a Well-Defined Breach Response Plan

A comprehensive incident response (IR) plan is crucial to mitigating the damage from any cyber attack. The 23andMe breach serves as a prime example of why incident response preparedness is essential. By having a well-defined, well-practiced IR plan, companies can react swiftly, minimize the damage, and protect both customer trust and legal standing.

1. Pre-Breach Planning and Scenario Exercises

To effectively handle an incident, organizations must invest in proactive preparation before a breach occurs. This includes:

  • Developing detailed playbooks that outline step-by-step procedures to follow during an attack.
  • Conducting simulated breach exercises to test how various teams (security, IT, legal, PR) would respond under pressure.
  • Creating clear lines of communication and roles and responsibilities within the team.

23andMe’s lack of preparation may have contributed to their slow response, exacerbating the breach’s scale.

2. Rapid Detection and Response

One of the cornerstones of effective incident response is the ability to detect threats early and contain them swiftly. Automated detection systems, integrated with AI and machine learning models, can quickly identify abnormal behavior or unauthorized access.

For example, credential stuffing attacks often involve attempts to log in with large sets of usernames and passwords obtained from previous breaches. By leveraging real-time monitoring tools to detect these anomalous login attempts, 23andMe could have taken quick action to stop the attackers before they accessed sensitive data.

3. Legal and Regulatory Coordination

In the case of a breach involving personal data, coordinating with legal teams is essential to ensure compliance with data protection regulations (like GDPR and CCPA). A well-structured legal strategy within the IR plan helps to:

  • Ensure compliance with notification requirements.
  • Manage risk by preparing the company for potential regulatory fines.
  • Coordinate with external legal counsel to defend against lawsuits.

23andMe’s failure to act quickly and coordinate with regulatory bodies allowed the breach to spiral into legal chaos, which could have been mitigated with a more structured response.

4. Transparent Communication with Stakeholders

During a breach, clear and timely communication with all stakeholders—employees, customers, partners, and regulators—is critical. A transparent response can help to manage the public’s perception and reduce reputational damage.

  • Proactively notify affected users about the breach and the steps being taken to mitigate harm.
  • Provide guidance on how customers can protect themselves, such as by changing passwords or monitoring accounts.
  • Work with the media to ensure accurate information is disseminated, preventing misinformation.

Effective communication can preserve customer trust, which is often the most difficult asset to regain after a breach.

Key Components of an Effective Incident Response Strategy

To ensure that the next breach is handled more effectively, CISOs must focus on building a robust and dynamic incident response framework that includes the following components:

1. Threat Intelligence and Monitoring Tools

By using advanced threat intelligence tools and AI-powered security solutions, organizations can detect intrusions more effectively and respond faster. These systems provide continuous monitoring and alert security teams to potential risks, making them critical for early detection.

2. Incident Response Team (IRT)

A dedicated incident response team should be available 24/7 to respond to breaches. This team should consist of:

  • Security experts
  • Legal and compliance officers
  • Communication specialists
  • PR managers

The IRT should be trained regularly in handling different types of security incidents, ensuring they are ready to deploy the appropriate response measures.

3. Breach Containment and Data Protection

The containment phase of an incident response involves quickly isolating the affected systems, stopping data exfiltration, and securing vulnerable points of entry. Ensuring that data is encrypted and stored securely will also help minimize the risks associated with data breaches.

4. Post-Incident Review and Continuous Improvement

Once the immediate threat is resolved, it is crucial to conduct a post-incident review. This review should include:

  • Assessing the effectiveness of the response.
  • Identifying areas for improvement.
  • Updating the incident response plan based on lessons learned.

23andMe’s lack of post-breach analysis and failure to adapt contributed to the extended legal and financial fallout.

Key Takeaways for CISOs

The failure of 23andMe’s incident response underscores the importance of being fully prepared for a breach. For CISOs, the lessons are clear:

  • Invest in real-time threat detection to catch breaches early.
  • Develop and regularly test an incident response plan that includes a comprehensive approach to detection, communication, legal coordination, and containment.
  • Ensure transparency in communications with customers and regulators.
  • Learn from each incident and continuously improve breach response strategies.

A well-defined, practiced incident response plan is not just a best practice—it’s a critical element of cyber resilience and business survival. For CISOs, effective incident response can make the difference between mitigating a breach and allowing it to spiral into a corporate catastrophe.

Lesson 5: The Reputational Damage and Business Impact of a Breach

The 2023 23andMe cyber attack didn’t just expose the personal genetic data of millions of customers; it severely damaged the company’s reputation and undermined the trust it had built with users. As one of the leading companies in the genetic testing and personalized health space, 23andMe was highly regarded for offering a cutting-edge service that gave consumers insight into their ancestry and health.

However, after the breach, the company’s image took a dramatic hit, demonstrating that reputational damage can often be more devastating than the immediate financial losses following a data breach.

In this lesson, we’ll examine how customer trust in 23andMe plummeted after the attack, why transparency and crisis communication are vital in managing a breach’s fallout, and how CISOs and executives should collaborate on a well-coordinated cybersecurity crisis management strategy to minimize reputational harm.

The Impact on Customer Trust

Customer trust is one of the most valuable assets any business can possess. For 23andMe, the hack exposed more than just personal genetic information—it also exposed critical weaknesses in how the company protected that information.

The breach resulted in a massive loss of confidence from millions of users who had trusted 23andMe with some of their most private and sensitive data. The fact that the breach involved 7 million customers—many of whom shared intimate details about their genetic makeup and family histories—made it even more shocking.

1. Loss of Confidence in Data Security

The breach was particularly unsettling for 23andMe users because the company had marketed its services as secure and reliable. Many customers had entrusted 23andMe with their DNA and health-related information, assuming that the company would take the necessary precautions to protect their data. As a result, when the breach occurred, users felt betrayed, which created a significant gap in the company’s relationship with its customers.

Some users may have feared that their genetic data could be misused for identity theft, insurance discrimination, or even genetic manipulation. This loss of confidence made it difficult for 23andMe to rebuild trust with affected customers, especially given the growing awareness of how personal data can be exploited in the hands of malicious actors.

2. Customer Churn and Brand Loyalty

In the wake of a data breach, customer churn is inevitable. When consumers lose trust in a company’s ability to protect their data, they are more likely to switch to a competitor that offers similar services but with stronger assurances regarding privacy and security. For 23andMe, the hack prompted some users to question whether they should continue to engage with the company’s services, potentially seeking alternatives.

Beyond churn, the long-term impact on brand loyalty can also be severe. Once a company suffers a breach, it can take years—if not decades—to fully restore its reputation. In some cases, the damage is irreparable, and the business may never regain its previous standing.

The Role of Transparency and Crisis Communication

Effective crisis communication plays a crucial role in mitigating the reputational damage caused by a data breach. After the 23andMe breach, the company’s communication strategy was widely criticized for being insufficient and delayed. Customers and regulators were left to discover the details of the breach through legal filings and court documents rather than through direct, proactive communication from the company itself.

1. Proactive and Clear Communication

In the face of a data breach, CISOs must act quickly to notify customers, regulators, and other stakeholders about the breach, its scope, and the steps being taken to mitigate the damage. This is where transparency comes into play. Companies should not try to downplay the situation or withhold critical details to avoid damaging their image. Instead, they should be honest and forthright in communicating the nature of the breach, the information compromised, and the actions being taken to resolve the issue.

By being upfront about the situation, companies can help maintain a level of trust with their users, even in the face of such a serious breach. This is essential for demonstrating accountability and a commitment to resolving the issue in a manner that prioritizes customer security.

2. Regular Updates and Engagement

Effective crisis communication does not end with the initial notification. It is equally important for companies to provide regular updates throughout the duration of the incident. Customers need to know what the company is doing to fix the problem and how it is working to prevent future breaches. This ongoing engagement helps reassure customers that the company is actively addressing the situation and prioritizing their security.

For 23andMe, frequent updates could have gone a long way in restoring customer confidence, especially as new details about the breach emerged. Had the company communicated more regularly, it might have been able to avoid some of the reputational fallout from the breach.

Cybersecurity Crisis Management: A Collaborative Approach

A data breach is a company-wide issue, and its resolution requires collaboration between various departments. While the CISO is typically the lead on technical aspects, executives, including the CEO, legal, and public relations teams, must be involved in the response to ensure a unified and coordinated approach to the crisis. The key to managing the reputational damage lies in cross-department collaboration to create a response plan that balances technical solutions, legal compliance, and customer communication.

1. CISO and Legal Collaboration

As soon as a breach occurs, the legal team needs to be informed to ensure compliance with regulatory requirements, such as breach notifications under GDPR, CCPA, and other data protection laws. CISOs and legal teams should work together to determine whether the breach is subject to mandatory disclosure, assess the company’s liabilities, and develop a legal strategy for handling potential lawsuits and regulatory fines.

2. Public Relations Strategy

The PR team must also be involved from the outset to craft a clear, concise, and transparent message to the public. A crisis communications plan should be prepared that includes:

  • Initial public statements about the breach.
  • Details on how the company is addressing the issue.
  • A roadmap for future actions to ensure the breach does not happen again.

The PR team should also ensure that the company engages with the media in a way that prevents misinformation and clarifies any misunderstandings surrounding the breach.

Key Takeaways for CISOs

For CISOs, the 23andMe breach serves as a stark reminder of the reputational risks associated with data breaches and the importance of managing customer trust. Here are the key lessons for CISOs:

  1. Reputation is Fragile: A breach can severely damage a company’s reputation, and recovery may take years, if it’s even possible.
  2. Proactive Communication is Key: Be transparent about the breach, provide frequent updates, and ensure customers understand the steps being taken to rectify the situation.
  3. Collaborate Across Departments: Crisis management requires the joint effort of the CISO, CEO, legal, and PR teams to ensure a coordinated response to the breach.
  4. Don’t Underestimate Customer Impact: The loss of customer trust can result in long-term consequences, including customer churn and loss of market share.

By being prepared for the worst, maintaining transparency, and ensuring cross-functional collaboration, CISOs can mitigate the reputational impact of a breach and, in some cases, restore customer confidence more effectively.

Lesson 6: The Rising Threat of Class-Action Lawsuits and Settlements

The 2023 23andMe cyber attack highlights the rising threat that data breaches pose not only to a company’s security and reputation but also to its financial stability through legal challenges. As a direct result of the breach, more than 40 class-action lawsuits were filed, with 35,000 individuals threatening arbitration claims, underscoring the financial and legal risks that CISOs must consider in the aftermath of a breach.

The settlement of these lawsuits, including a $30 million payout, was only a temporary relief. The ongoing litigation and regulatory inquiries continue to complicate 23andMe’s legal and financial position, which ultimately contributed to the company’s bankruptcy filing. This lesson will explore the legal implications of a data breach, why CISOs must work closely with legal teams to understand breach liabilities, and strategies for managing legal risks, breach insurance, and limiting exposure to future lawsuits.

The Legal Fallout: Lawsuits and Arbitration Claims

After a data breach of this magnitude, it is almost certain that legal actions will follow. For 23andMe, the breach triggered a flood of class-action lawsuits from affected customers, many of whom were concerned about the misuse of their sensitive personal data, including their genetic and health information. These lawsuits typically focus on allegations of negligence, failure to secure sensitive data, and inadequate breach response. They are often compounded by emotional distress claims, as individuals feel their privacy and personal security have been violated.

1. Class-Action Lawsuits: A Growing Threat

Class-action lawsuits are particularly dangerous because they aggregate the claims of multiple plaintiffs into a single legal case, making them more likely to result in significant settlements or verdicts. Given the highly sensitive nature of the data involved, 23andMe faced potential mass litigation in which the company could be found liable for failing to protect customers’ most personal information. In the case of genetic data, which is unique and potentially highly valuable, the stakes are even higher for both the affected individuals and the company.

2. Arbitration Claims: The Legal Complexity

In addition to class-action lawsuits, 23andMe also faced arbitration claims from customers who sought to resolve disputes outside of traditional courtrooms. Arbitration processes typically have limited discovery and no public proceedings, but they can still result in substantial legal costs for the company. The sheer volume of 35,000 arbitration claims further increased the pressure on 23andMe, as each arbitration could result in individual settlements or awards, all of which required legal resources to manage.

These legal challenges can stretch a company’s resources thin, especially when the breach leads to numerous claims and a significant loss of revenue due to legal costs and settlements.

The $30 Million Settlement: Financial and Strategic Implications

In the wake of the lawsuits, 23andMe reached a $30 million settlement to resolve some of the claims. While this settlement may appear as a quick fix, the costs of a breach are rarely confined to the initial settlement. The long-term financial implications of the breach can be much higher.

1. Direct Financial Losses

The $30 million settlement is only one part of the financial fallout that 23andMe faced. Companies involved in data breaches often must pay additional costs for regulatory fines, cybersecurity improvements, and the costs of notification to affected customers. Moreover, a company’s legal fees can skyrocket when managing multiple lawsuits and arbitration cases. For 23andMe, the combined cost of litigation, fines, and settlement payouts severely impacted its financial standing, eventually leading to a bankruptcy filing.

2. The Indirect Costs: Reputational and Market Impact

In addition to direct legal costs, there are indirect costs that arise from the long-term damage to the company’s brand and market position. As 23andMe faced legal battles, it became more challenging to attract new customers, secure partnerships, and maintain investor confidence. These financial and reputational costs can be just as damaging, if not more so, than the immediate settlements.

Why CISOs Must Collaborate with Legal Teams

The legal and financial fallout from a data breach makes it clear that CISOs cannot act in isolation when responding to a security incident. Close collaboration with the legal team is critical, not only for the initial response to the breach but also for managing the long-term legal risks.

1. Understanding Liability and Exposure

One of the most important aspects of this collaboration is understanding the company’s legal liability and exposure after a breach. CISOs must work with legal teams to assess the scope of the breach and determine the likely consequences in terms of lawsuits, regulatory investigations, and compensation claims. Legal teams can help CISOs understand the risks associated with non-compliance to data protection regulations like GDPR, CCPA, and HIPAA (for health-related data).

2. Developing Proactive Legal Strategies

It is also essential for CISOs to engage with the legal team to develop proactive strategies to minimize the risk of litigation. Legal teams can provide guidance on how to:

  • Communicate with affected customers and regulatory bodies in a way that mitigates legal liability.
  • Limit exposure by leveraging existing breach insurance or working with cybersecurity consultants to assess and improve the company’s security posture.
  • Prepare for future lawsuits by implementing stronger security practices, revising user agreements, and ensuring compliance with data protection regulations.

Strategies for Managing Legal Risks

While the immediate financial burden from settlements and lawsuits may be overwhelming, there are several strategies CISOs can implement to reduce the likelihood of legal fallout from future data breaches.

1. Implementing Breach Insurance

Cybersecurity insurance is one of the most effective tools for mitigating the financial risk of a breach. By purchasing a comprehensive breach insurance policy, companies can offset some of the legal costs associated with class-action lawsuits, regulatory fines, and incident response. This insurance can also cover costs related to customer notification, forensic investigations, and public relations efforts to restore the company’s reputation.

2. Legal Preparedness and Risk Management

CISOs should work closely with the legal department to develop a comprehensive risk management strategy. This should include regular legal reviews of data protection policies, contractual agreements with vendors and partners, and incident response protocols. By addressing legal risk proactively, companies can better manage litigation and reduce their exposure to future claims.

3. Strengthening Data Protection and Compliance

Finally, investing in robust data protection practices, such as encryption, access controls, and regular security audits, can minimize the likelihood of future breaches. Compliance with data protection laws and industry standards, along with continuous monitoring, can help companies avoid significant regulatory penalties and reduce the risk of lawsuits.

Key Takeaways for CISOs

For CISOs, the 23andMe breach offers a valuable lesson in understanding and managing legal risks. The breach underscores the importance of working closely with the legal team to:

  1. Assess and understand breach liability: CISOs must be fully aware of the legal ramifications of a breach, including the potential for class-action lawsuits, arbitration claims, and regulatory scrutiny.
  2. Collaborate on proactive strategies: Collaboration between security and legal teams is essential for minimizing exposure and preparing for the financial costs associated with a breach.
  3. Invest in breach insurance and legal preparedness: CISOs should advocate for cybersecurity insurance and implement risk management strategies to prepare for potential litigation.
  4. Strengthen data protection practices: By implementing better data protection measures, CISOs can reduce the likelihood of future legal issues and improve the company’s security posture.

The rising threat of class-action lawsuits and settlements emphasizes the need for legal preparedness and robust cybersecurity practices. CISOs must recognize that the financial consequences of a data breach extend beyond immediate costs, affecting long-term business viability.

Lesson 7: Cybersecurity as a Business Survival Factor

The final lesson to draw from the 2023 23andMe cyber attack is the crucial role that cybersecurity plays in ensuring business continuity and survival. While data breaches are often seen as security failures, their ramifications go beyond compromised data; they can directly threaten the financial stability and viability of a company. In the case of 23andMe, the attack and its aftermath played a significant role in the company’s eventual bankruptcy filing.

This lesson is a reminder that cybersecurity should no longer be viewed as just an IT issue, but as a core business function integral to protecting the company’s assets, reputation, and long-term success. CISOs must align cybersecurity investments with the broader business strategy to ensure that the organization is resilient to both cyber threats and the potential financial impact of a breach.

Let’s explore why this lesson is important, how CISOs can ensure their organizations stay resilient, and how proactive security measures can serve as a safeguard against business collapse.

Cybersecurity and Business Continuity

The case of 23andMe is a stark reminder that, in today’s digital landscape, cybersecurity is a key determinant of business survival. As a DNA testing company, 23andMe’s entire business model relies on customer trust and the security of sensitive personal data. The breach of 7 million customers’ personal genetic information not only damaged the company’s reputation but also brought into focus the financial fragility of organizations that fail to protect their digital infrastructure adequately.

1. The Fallout of Security Failures

In 23andMe’s case, the attack led to class-action lawsuits, regulatory investigations, and a wave of arbitration claims, costing the company millions. But beyond the immediate legal and financial costs, the breach damaged customer trust in the company’s ability to protect personal data. The company’s market share and consumer base dwindled as a result, and its financial stability was undermined.

The combination of these factors created an environment where investors lost confidence, and 23andMe could not recover from the damage. Eventually, the company filed for bankruptcy, highlighting how cybersecurity failures can directly impact financial outcomes, potentially leading to the collapse of even well-established organizations.

2. The Connection Between Cybersecurity and Financial Stability

The breach at 23andMe underscores the critical importance of cybersecurity investment in safeguarding a company’s revenue streams and long-term financial health. When a company faces a significant breach, it is often forced to divert resources toward litigation and regulatory compliance while simultaneously trying to rebuild its reputation. The long-term damage to a company’s revenue, client base, and investor confidence can be substantial and irreversible, which is why proactive cybersecurity strategies are essential for business continuity.

Aligning Cybersecurity with Business Strategy

To prevent the kind of devastating fallout seen at 23andMe, CISOs must ensure that cybersecurity is an integral part of the overall business strategy. The function of cybersecurity goes beyond protecting data; it is fundamentally tied to an organization’s long-term success and operational effectiveness. By aligning cybersecurity priorities with business objectives, CISOs can not only safeguard the company’s data but also its reputation and financial stability.

1. Proactive Cybersecurity Investments

In the wake of a breach, it becomes clear that cybersecurity must be prioritized at the highest levels of the organization. This means moving away from the reactive, patchwork approach that many organizations still take when it comes to security and adopting a more proactive stance. CISOs must advocate for sufficient budgets for advanced security technologies like AI-powered threat detection, zero trust architectures, and multi-factor authentication (MFA). Investing in these systems upfront can reduce the risk of an attack that could spiral into a crisis like the one experienced by 23andMe.

2. Building a Resilient Security Posture

Cybersecurity should not only aim to prevent breaches but also to ensure that the company can recover quickly if an incident does occur. A resilient security posture involves business continuity planning, disaster recovery, and incident response plans that are aligned with the company’s overall business goals. CISOs must lead the effort to ensure that the organization has systems in place to respond to and recover from breaches quickly, minimizing both the financial and reputational damage.

3. Cross-Department Collaboration

To make cybersecurity a core business function, CISOs need to foster collaboration across various departments, including legal, compliance, marketing, and executive leadership. Each of these departments has a stake in the company’s overall security and business resilience. The legal team plays a vital role in managing compliance with data protection laws (e.g., GDPR and CCPA), while marketing and communications teams must be prepared to handle crisis communications in the event of a breach. Executive leadership, including the CEO and CFO, must understand that the role of the CISO goes beyond IT and has significant financial and strategic implications.

The Importance of Cybersecurity to Investor Confidence

Another critical aspect of cybersecurity as a business survival factor is its impact on investor confidence. In today’s market, investors are increasingly concerned about the risks associated with cyber threats and data breaches. They are more likely to view companies that fail to prioritize cybersecurity as risky investments, particularly if the company has suffered a breach.

In the case of 23andMe, the combination of its financial losses due to lawsuits, settlements, and regulatory fines, along with the erosion of trust, likely contributed to a decline in investor confidence. This loss of investor trust can be devastating for a company, as it may find it difficult to secure funding, partnerships, or market share in the future. As such, CISOs must not only protect the company’s data but also consider the broader financial implications of cybersecurity on company valuation and market perception.

The Case for Proactive Cybersecurity Spending

A key takeaway from 23andMe’s failure is that cybersecurity investments should be considered as a strategic priority, rather than a cost center. CISOs must demonstrate to executives that proactive cybersecurity is an investment in business continuity rather than an expense to be minimized. Just as companies invest in research and development, marketing, and other business functions to ensure their success, cybersecurity should be treated with the same level of importance.

1. Measuring ROI on Cybersecurity Investments

To justify cybersecurity spending, CISOs should focus on measuring ROI based on reduced risk and potential cost savings from avoided breaches. Implementing advanced threat detection systems, regular vulnerability assessments, and security automation tools can help reduce the likelihood of a breach, thus protecting the organization’s financial standing in the long term.

2. Demonstrating the Link Between Security and Business Health

CISOs should communicate clearly to leadership the link between cybersecurity and business health. By proactively investing in cybersecurity, organizations not only avoid financial losses from breaches but also safeguard their brand, market share, and reputation, which are all essential to the bottom line. This approach also positions the company as a trusted and secure entity, which can drive customer loyalty and attract investors.

Key Takeaways for CISOs

From the 2023 23andMe breach, CISOs should understand that cybersecurity is no longer just about defending the network or protecting data—it is a critical component of ensuring business continuity. Key actions for CISOs to take include:

  1. Aligning cybersecurity with business strategy: Ensure that cybersecurity is part of the overall organizational strategy to maintain customer trust, regulatory compliance, and financial stability.
  2. Prioritizing proactive cybersecurity investments: Invest in security technologies and measures upfront to reduce the risk of future breaches.
  3. Building a resilient security posture: Develop and maintain strong incident response, business continuity, and recovery plans.
  4. Collaborating with other departments: Work closely with legal, compliance, marketing, and executive teams to ensure comprehensive risk management.
  5. Demonstrating cybersecurity ROI: Show the value of cybersecurity investments through their potential to prevent financial losses and safeguard business continuity.

In conclusion, CISOs must recognize that cybersecurity is fundamental to the company’s survival in the digital age. By prioritizing security and aligning it with business goals, organizations can better withstand the growing threat of cyberattacks and continue to thrive in an increasingly volatile cyber environment.

Conclusion

It may seem counterintuitive, but a cyber attack can be a powerful catalyst for transformation if organizations respond strategically. While the consequences of the 2023 23andMe breach were severe, they offer a critical opportunity for CISOs to reassess their security strategies and ensure they are not just reacting to threats but anticipating them.

As cyber risks evolve, the true challenge lies in embedding cybersecurity into the core fabric of business operations rather than viewing it as a siloed function. Moving forward, organizations must start measuring the return on their cybersecurity investments—not just in terms of threats avoided but also in terms of business continuity ensured.

The path to resilience begins with cross-departmental collaboration, where security is recognized as a critical driver of not only protection but growth. Looking ahead, the next step for CISOs is to integrate cybersecurity into their organization’s financial strategy, demonstrating its value beyond IT. Additionally, focusing on continuous cybersecurity education for teams, from executives to staff, will ensure that security remains top of mind across all levels.

By transforming cybersecurity into a proactive, business-enabling function, companies can mitigate not only the risks of attacks but also their long-term business impact. This approach will empower organizations to not only survive in the face of ever-evolving threats but thrive as they capitalize on new digital opportunities. Cybersecurity will no longer be a reactive measure but an integral business function that drives strategic success.

The time is now for CISOs to take action—not tomorrow, but today. Let the lessons of 23andMe serve as a catalyst for a shift in mindset that will help protect not just data, but the entire business ecosystem. The future belongs to those who secure it.

Leave a Reply

Your email address will not be published. Required fields are marked *